b'\x0c         INTEGRITY* EFFICIENCY* ACCOUNTAB I LITY* EXCELLENCE\n\n\n\n\n                                    Mission\n       Our mission is to provide independent, relevant, and timely oversight\n       of the Department of Defense that:         supports the warfighter;\n       promotes accountability, integrity, and efficiency; advises the\n            Secretary of Defense and Congress; and informs the public.\n\n\n\n                                     Vision\n          Our vision is to be a model oversight organization in the federal\n          government by leading change, speaking truth, and promoting\n          excellence; a diverse organization, working together as one\n               professional team, recognized as leaders in our field.\n\n\n\n\n                      \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\n                      Fraud, Waste and Abuse\n\n                      HOTLINE\n                     1.800.424.9098 \xe2\x80\xa2 www.dodig.mil/hotline\n                      \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\n\n\n\nFor more information about whistleblower protection, please see the inside back cover.\n\x0cSeptember 16, 2013\n\nObjective                                                 Recommendations\nWe determined whether the Navy Commercial                 We recommend CNIC replace Rapidgate with a system that uses the\nAccess Control System (N<CACS) was mitigating             mandatory databases and revise CNIC policy and guidance to align\naccess control risks for Navy installations.              with Federal and DoD credentialing requirements. Furthermore,\n                                                          we recommend CNIC establish a process to identify and provide\n                                                          commanders with resources and capabilities to access required\nFindings                                                  authoritative databases.\nNCACS did not effectively mitigate access control\nrisks associated with contractor installation             Additionally, we recommend the Director, Shore Readiness, Deputy\naccess.   This occurred because Commander,                Chief of Naval Operations (Fleet Readiness and Logistics), obtain an\nNavy Installations Command (CNJC) officials               independent, comprehell1sive business case analysis of NCACS and\nattempted to reduce access control costs. As              determine future actions for contractor installation access. We also\na result, 52 convicted felons received routine,           recommend the Director perform a review ofCNIC N3AT officials and\nunauthorized     installation    access,   placing        consider administrative actions, if appropriate. We also recomme nd\nmilitary personnel, dependents, civilians, and            the Assistant Secretary of the Navy (Research, Development, and\ninstallations at an increased security risk.              Acquisition), review the inappropriate contracting practices and\nAdditionally, the CNIC N3 Antiterrorism office            establish a corre-ctive action plan.\n(N3AT) misrepresented NCACS costs.             This\noccurred because CNIC N3AT did not perform\na comprehensive business case analysis and\n                                                          Comments\nissued policy that prevented transparent cost             Comments submitted for CNIC were nonresponsive regarding the\naccounting of NCACS.      As a result, the Navy           recommendations to replace Rapidgate with a system that uses the\ncannot account for actual NCACS costs, and                mandatory databases, revise CNIC policy, and provide installations\nDoD Components located on Navy installations              with resources to access the mandatory databases. The Director,\nmay be inadvertently absorbing NCACS costs.               Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness\nFurthermore, CNIC N3AT officials and the                  and Logistics), comments were generally responsive. However, the\nNaval District Washington Chief Information               Director\'s comments were partially responsive regarding the review\nOfficer circumvented competitive contracting              of CNIC N3AT officials.     Comments submitted for the Assistant\nrequirements to implement NCACS.               This       Secretary of the Navy ( Research, Development, and Acquisition)\noccurred because CNIC N3AT did not have                   were responsive.     We request management provide additional\ncontracting authority. As a result, CNIC N3AT             comments by October 18, 2013. See the Recommendations Table\nspent over $1.1 million i n disallowable costs            on the back of this page.\nand lacked oversight of, and diminished legal\nrecourse against, the NCACS service provider.\n\n\n\n\nVisit us on the web at www.dodig.mil\n                                                      FSR SFFIEIAis ~SE OtlUf\n                                                                                DODIG\xc2\xb72013-134 (Project No. 02013-DOOOLC-0008.000)   Ii\n\x0c                                                             F8R 8FFJCh1d:; ~SE 8NL\\\'\n\n\n\n\n            Recommendations Table\n                                                                                   Recommendations             No Additional\n                                           Management\n                                                                                   Requiring Comment         Comments Required\n\n             Assistant secretary of the Navy (Research, Development, and\n                                                                                                             B.l, C.l, C.2\n             Acquisition)\n\n             Director, Shore Readiness, Deputy Chiet ot Naval Operations\n                                                                                   C.3.a, C.3.b, C.3.c       B.2.a, B.2.b\n             (Fleet Readiness and Logistics)\n\n             Commander, Navy In stallations Command                                A. l, A.2, A.3.a, A.3.b\n\n              Director of Contracts, Naval Sea Systems Command                                               (.2\n\n             Chief of Contracting, Naval Surface Warfare Center, Panama City                                 C.4.a, C.4.b\n\n             Chief of Contracting, Naval Surface Warfare Center, Port Hueneme                                C.4.a, C.4.b\n\n              Please proviide comments by October 18, 2013.\n\n\n\n\nii   I DODIG-2013-134 (Project No. 1>2013-DOOOLC-0008.000)   f\'~R ~FFIEIAL   M8E ~NLY\n\x0c                                       FOR OFFIEIAL l-JSE EHib\'/\n\n                                     INSPECTOR GENERAL\n                                    DEPARTMENT OF DEFENSE\n                                    4800 MARK CENTER DRIVE\n                                 ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n                                                                                 September 16, 20 13\n\nMEMORANDUM fOR ASSISTANT SECRETARY Of TIIE NAVY (RESEARCH,\n                 DEVELOPMENT, AND ACQUISITION)\n               DIRECTOR, SHORE READINESS, DEPUTY CHIEF OF NAVAL\n                 OPERATIONS (FLEET READINESS AND LOGISTICS)\n               COMMANDER, NAVY :iNSTALLATIONS COMMAND\n               DIRECTOR OF CONTRACTS, NAVAL SEA SYSTEMS COMMAND\n               CHIEF OF CONTRACTING, NAVAL SURFACE WARFARE CENTER,\n                 PANAMA CITY\n               CHIEF OF CONTRACTING, NAVAL SURFACE WARFARE CENTER,\n                 PORT HUENEME\n\nSUBJECT: Navy Commercial Access Control System Did Not Effectively Mitigate Access Control\n         Risks (Repot1 No. DODIG-2013-134)\n\nWe are providing this report for your review and comment. The Navy Commercial Access Control\nSystem. (NCACS) did not effectively mitigate contractor access control risks and allowed convicted\nfelons to access Navy insta llations without the knowledge and approval of the installation\ncommander. In addition, Commander, Navy Installations Command, N3 Antiten\xc2\xb7orism office,\nmisrepresented NCACS costs and circumvented competitive contracting requirements to implement\nNCACS. We considered management comments on a draft of this report from the Department of\nthe Navy, through the consolidated responses by the Deputy Under Secretary of the Navy (Plans,\nPolicy, Oversight, and Integration), when preparing the final report.\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly. Comments\nsubmitted for the Assistant Secretary ofthe Navy (Research, Development, and Acquisition);\nDirector, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics); and\nDirector of Contracts, Naval Sea Systems Command, were generally responsive. Comments\nsubmitted for the Commander, Navy Installations Command were nonresponsive. We request the\nDirector, Shore Readiness. Deputy Chief of Naval Operations (Fleet Readiness and Logistics),\nprovide additionaEcomments on Recommendation C.3 and the Commander, Navy Installations\nCommand, provide additional comments on Recommendations A.l , A.2, and A.3 by\nOctober 18, 2013.\n\nIf possible, send a Microsoft Word (.doc) file and portable document format (.pdf) file containing\nyour comments to audros@dodi g.mil. Copies of your comments must have the actual signature of\nthe authorizing official for your organization. We are lmable to accept the /Signed/ symbol in place\nof the actual signature. If you arrange to send c lassified comments electronically, you must send\nthem over the SECRET Intemet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at (703) 604-\n(DSN66-        ).\n\n\n                                                dJ~-\xc2\xb7~Jh<vo\n                                               Alice F. Carey\n                                               Assistant Inspector General\n                                               Readiness, Operations, and Support\n\n\n                                       F9R 9FFIEUrb l-JSE OPH:Y                                   DODIG-2013-134   I iii\n\x0c                                                    FOR OFFIC!Ab USE ONLY\n\n\n\n\n                    Contents\n                    Introduction\n                    Objective                                                                           1\n                    Background                                                                          1\n                    Review of Internal Controls                                                         4\n\n                    Finding A. NCACS Did Not Effectively Mitigate\n                    Access Control Risks for Contractors Entering Navy\n                    Installations                                                                       5\n                    Requirements to Vet Contractors Accessing Navy Installations                        5\n                    Contractor Employees Enrolled in Rapidgate Received Interim Installation Access\n                    Without a Background Check                                                          6\n                    Contractor Employees Received Credentials Without Being Vetted Through Authoritative\n                    Databases                                                                          7\n                    CNIC Attempted to Reduce Access Control Costs                                       9\n                    Installation Personnel Did Not Have Appropr iate Resources to Conduct Background\n                    Checks                                                                             10\n                    Military and Civilian Personnel Placed at Security Risk _                          11\n                    Naval Criminal Investigative Services Concerned with Accuracy and Reliability of\n                    Rapidgate _                                                                        13\n                    Management Comments on the Report                                                  13\n                    Recommendations, Management Comments, and Our Response                             14\n\n                    Finding B. NCACS Projected Costs Not Supported                                     18\n                    Costs Not Identified or Properly Represented                                       18\n                    CNIC Cost Claims Unreliable and Unsubstantiated                                    19\n                    NCACS Costs are Unknown                                                            20\n                    Recomme11dations, Management Comments, and Our Response                            21\n\n                    Finding C. CNIC Circumvented Competitive\n                    Contracting Requirements                                                           23\n                    Contractor Competition is Required                                                 23\n                    Rapidgate Procurement History                                                      23\n                    Prime Contractor Directed to Enter Into Unauthorized Commitments                   24\n\n\n\niv   I DOD!fr2013-l34                               F~R ~FFIEIAL   M8E   ~NLY\n\x0c                              FOR OFFICIAL l-ISE OHLY\n\n\n\nCNIC Officials\' Actions Restricted Full and Open Competition _ _ _ _ _ _ _ _ _ 26\nNavy Lacks Contractual Coverage for Eid Passport Services                          26\nAppropriate Contracting Authority Was Not Used                                     27\nNavy Spent Over $1.1 Million in Potentially Unallowable Costs and Lacked Oversight and\nLegal Recourse Against Eid Passport                                                 28\nConclusion _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 28\n\nRecommendations, Management Comments, and Our Response _ _ _ _ _ _ _ 29\n\nAppendixes\nAppendix A. Scope and Methodology - - - - - - - - - - - - - - - - - 32\n   Use of Computer-Processed Data                                                  33\n   Prior Coverage                                                                  33\nAppendix B. Identified Contractor Companies and Amounts Cha rged for\nNCACS-Remated Cos.ts _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 35\n\nGlossary _________________                                                         36\n\nManagement Comments\nDepartment of the Navy Comments - - - - - - - - - - - - - - - - - 38\n\nAcronyms and Abbreviations __________ 45\n\n\n\n\n                              f?~R ~FFlCIAL   l-ISE ONLY                                 DODIG-2013-134   Iv\n\x0c\x0c                                                FOR OFFIC!Ab USE ONLY                                                                 Introduction\n\n\n\n\nIntroduction\nObjective\nThe objective of the audit was to determine whether the Navy Commercial Access Control\nSystem (NCACS) is mitigating access control risks to Navy installations. See Appendix A\nfor a discussion of the scope and methodology and prior audit coverage.\n\n\nBackground\nNCACS Overview\nNCACS is an enterprise identity management a nd perimeter installation access control\nsolution used to manage commercial vendors, contractors, and suppliers1 requiring\nroutine access to Navy installations.                        NCACS was implemented by the Commander,\nNavy Installations Command (CNIC), the office designated to oversee the physical\nsecurity of all Continental United States Navy installation perimeters. NCACS is managed\nby the CNIC N3 Antiterrorism office (N3AT) and administered through a service\nprovider, Eid Passport, Incorporated (Eid Passport). Eid Passport used its access control\nsystem, known as Rapidgate,Z to provide NCACS services. Eid Passport was designated\nthe responsibility to perform contractor background checks, manufacture RapidgaLe\ncredentials, and maintain information on contractors enrolled in Rapidgate accessing\nNavy installations. The Rapidgate credential provided the contractor with unescorted,\nrecurring installation access.\n\n\nNavy Contractor Credentialing\nChief of Naval Operations Instruction (OPNAVINST) 5530.14E, "Navy Physical Security\nand Law Enforcement Program;\' January 28, 2009, change 1, April 19, 2010, directs\nelimination of local credentials but allowed supplemental credentialing systems to\nbe used as an additional level of access control security not presently afforded by the\nCommon Access Card.\n\nIn July 2010, CNIC issued Notice3 5530, "RAPIDGate Implementation for Non-Common\nAccess Card (CAC) Contractors/Vendors Program Within CONUS Regions, Navy Region\nHawaii and Joint Region Marianas," to implement Rapidgate as the standard identity\nmanagement and perimeter installation access control solution for contractors not\n\n 1\n     For the purpose of this report, commercial vendors, contractors, and supplle\xc2\xb7rs will be referred to as "contractors."\n 2\n     "RAPIDGate" is a registered trademark of Eid Passport, Incorporated.\n \'   According to the OPNAVINST 5215.17, "Navy Directives ISSl\'Cince System," June 13, 200\'5, a notice is a directive that has a\n     one-time or brief nature and is not permitted to rema in in effect for longer than 1 year.\n\n\n\n\n                                                FOR OFFIEUrb USE ONLY                                                              DODJG-2013\xc2\xb7134   It\n\x0cIntroduction                                            FOR OFFIC!Ab USE ONLY\n\n\n\n                    authorized a Common Access Card. In order to avoid the appearance of endorsing\n                    Rapidgate, Eid Passport\'s trademarked product, in May 2011, CNIC updated and issued\n                        Notice 5530, to rename its standard installation access control solution to NCACS. In\n                    July 2012, CNIC updated and issued Notice 5530, which identifies acceptable forms of\n                    identification for contractors requiring physical access to Navy installations, including:\n\n                                \xe2\x80\xa2 Federal and DoD-issued credentials, including the Personal Identity\n                                  Verification (PIV) credential or Transportation Worker Identification Card,\n\n                                \xe2\x80\xa2 Rapidgate credentials, and\n\n                                \xe2\x80\xa2 Local installation passes.\n\n                    According to CNIC Notice 5530, contractors not authorized to receive a Federal or DoD\n                    issued credential could request participation in the Navy\'s NCACS program to obtain a\n                    Rapidgate credential. If a contractor employee elects not to participate in NCACS, the\n                    individual employee may apply for a locally issued pass providing 1 day of installation\n                    access. Each individual employee applying for a locally issued daily pass must be\n                    processed through the installation Pass and Identification office, present valid forms\n                    of identification, and undergo required background vetting by installation security\n                    personnel.\n\n\n                    Rapidgate Enrollment Process\n                        NCACS is a voluntary program that allowed contractors recurring installation access.\n                    To enroll in Rapidgate, the contractor company is required to obtain verification from\n                    a designated NCACS installation sponsor. Once verified and approved, the contractor\n                    company then pays Eid Passport an enrollment fee of $199 annually for access to a\n                    single installation, or $249 annually for access to multiple installat ions. If the contractor\n                    employee chooses to participate in NCACS, the employee registers at a Rapidgate kiosk for\n                    installation access. Eid Passport requires an additional enrollment fee for each contract or\n                    employee that registers for Rapidgate. An employee can receive a Rapidgate credential\n                    that provides installation access for 90 days or 1 year fo r the following enrollment fees:\n\n                                \xe2\x80\xa2 $159 for 1 year of access to a single installation,\n\n                                \xe2\x80\xa2 $199 for 1 year of access to multiple installations, or\n\n                                \xe2\x80\xa2 $5Y for YO days of access to a single installation.\n\n                    After receiving the contractor employee\'s enrollment fee, Eid Passport\'s third-party\n                    vendors perform public record checks using publicly accessible databases. However,\n\n\n\n\n2   I DODfG-20 13-134                                   t<e~   eFFlEIAL USE ONLY\n\x0c                                FOR OFFICIAL l.xJ9E ONLY                                   Introduction\n\n\n\nEid Passport stated, "not all public records are up-to-date, complete, accurate, or\navailable." Before the public record checks are completed, contactor employees enrolled\nin Rapidgate can obtain temporary installation access for up to 28 days. Contractor\nemployees present the installation\'s Pass and Identification Office with a Rapidgate\nenrollment receipt and personal identification to obtain interim access until they are\nauthorized or denied participation in Rapidgate.\n\nAfter Eid Passport determines the contractor employee passed the public record check,\nit provides the installation(s) with the employee\'s Rapidgate credential for issuance.\nThe Rapidgate credential is valid for up to 5 years but only remains active for up to\n1 year at a time. To keep the Rapidgate credential active for another year, Eid Passport\nrequires contractor employees to pay an annual fee and undergo a renewal background\ncheck. In addition to the renewal background checks, contractor employees are also\nsubject to periodic public record checks. These periodic checks search limited public\nrecords for changes in the employee\'s criminal history since the previous background\ncheck. However, if Eid Passport determines the contractor employee failed the public\nrecord check, the employee has the option to submit a waiver request to the installation\ncommanding officer. The commanding officer reviews the waiver request and failed\npublic record check to determine whether the installation accepts the risk of granting\nthe contractor employee installation access. If Lhe commanding officer accepts the\nassociated risk, the employee can participate in NCACS and is granted a Rapidgate\ncredential allowing unescorted access to the installation. If the commanding officer\ndoes not accept the risk, the contractor employee cannot participate in NCACS. See\nFigu re 1 on page 4 for a diagram of the NCACS participation process.\n\n\n\n\n                                FOR 8FFIEIAb l.xJSE ONLY                               DODJG-2013\xc2\xb7134   I3\n\x0cIntroduction                                                      FOR OFFICIAL l-ISE OHLY\n\n\n\n                    Figure 1. NCACS Participation Process\n\n                                                                        Company does not         ____.         Contractor employees\n                                                                       participate in NCACS                   request daily passes for\n                                                                                                                insrallaaio11 access\n\n\n\n                                                                           Company obmins installation\n                                  Company participates in       ---+      sponsorship and pays enrollment\n                                         NCACS                                     fee to Eid Passpon\n\n\n\n\n                                     Employee enrolls into                                                            Employee provides Pas.\xe2\x80\xa2\n                                                                              Employer/Employee                       and Identification Oftlce\n                                        Rapidgate at the\n                                    ins1allarion kiosk in rhe\n                                                                             pays\'llnrollmem iee to       --+         with proof of enrollment\n                                                                            Eid Passpon nnd publ;c                   and personal identification\n                                    Pass and ldenti ficntion                record check is initiated\n                                              Otlicc                                                                    to obtain a temporn.ry\n                                                                                                                             28-day pass\n\n\n\n\n                                                                       Eid Passpon perfOI\'ms background\n                                                                         check us~ng third-party vendor\n\n\n\n\n                                     Eid Passport notifies contractor employee                     Eid Passport notifies contractor of failed\n                                      that \xc2\xb7the installation has their Rapidgate                             background cheek\n                                                credemial for issuance\n\n\n\n                                                                                                    Employee has the option to apply for a\n                                       Pa!iS and Identification Office issues                          waiver to access in$1allalion\n                                      Rapjdgarc crcdenriul to cont:mc1or with\n                                           proper personal idenfification\n\n\n                                                                                                   Navy installation conunander reviews\n                                                                                                   Miver request and approves or denies\n                                                                                                    contractor insrallation access through\n                                                                                                                  Raptdgate\n\n\n\n\n                    Review of Internal Controls\n                    DoD    Instruction      5010.40, "Managers\'                             Internal Control                     Program           Procedures,"\n                    May 30, 2013, requires DoD organizations to implement a comprehensive system\n                    of internal controls that provides reasonable assurance programs are operating as\n                    intended and to evaluate the effectiveness of the controls.                                                   We identified internal\n                    control weaknesses for the Navy. In attempt to reduce access control costs, CNIC did\n                    not follow Federal credentialing standards and DoD contractor vetting requirements\n                    and did not provide 7 of the 10 installations visited the appropriate resources and\n                    cap\xc2\xb7a bilities to conduct required contractor background checks.                                                               Furthermore,\n                    CNIC N3AT did not perform a comprehensive business case analysis (BCA) and issued\n                    pohcy that prevented transparent accounting for actual NCACS costs. Additionally,\n                    CNIC N3AT did not have contracting authority and developed a certification of compliance\n                    (COC) as an admin-istrative approach to maintain a relationship with Eid Passport. We\n                    will provide a copy of the report to the senior Navy official responsible for internal\n                    controls.\n\n\n4   I DODfG-20 13\xc2\xb7134                                             f9R 9FffEUrb HS8 OPH:Y\n\x0c                                  POR OPPIEIAL t1~E ONI::Y                                       Finding A\n\n\n\n\nFinding A\nNCACS Did Not Effectively Mitigate Access Control Risks\nfor Contractors Entering Navy Installations\nThe Navy Commercial Access Control System, Rapidgate, did not effectively mitigate the\naccess control risks of contractors accessing Navy installations. Specifically, numerous\ncontractor employees enrolled in Rapidgate received interim installation access and\nRapidgate credentials without having their identities vetted through mandatory\nauthoritative databases, such as the National Crime Information Center (NCIC)\ndatabase and the Terrorist Screening Database.        Furthermore, as an alternative to\nNCACS, contractor employees could obtain a local daily pass without having their\nidentities vetted through NCIC and the Terrorist Scree ning IDatabase. This occurred\nbecause-in an attempt to reduce access control costs-CNIC did not:\n\n         \xe2\x80\xa2 follow Federal credentialing standards and DoD contractor vetting\n              requirements a nd\n\n         \xe2\x80\xa2 provide 7 of the 10 installations visited with the appropriate resources and\n              capabilities to conduct required contractor background checks.\n\nAs a result, 52 convicted felons received routine, unauthorized access to Navy\ninstallations for 62 to 1,035 days since Eid Passport\'s initial public record checks did not\nidentify the felony convictions. This placed military personnel, dependents, civilians,\nand installations at an increased security risk.\n\n\n\nRequirements to Vet Contractors Accessing Navy\nInstallations\nHomeland Security Presidential Directive 12, "Policy for a Common Identification\nStandard for Federal Employees and Contractors," August 27, 2004, requires that\nall Government employees and contractors who require routine physical access to\nGovernment facilities and insta1lations receive a standard and secure identification\ncredential.     In accordance w ith Homeland Security Presidential Directive 12, the\nDepartment of Commerce\'s National Institute of Standards and Technology issued the\nFederal Information Processing Standard 201, "Personal Identity Verification (PIV) of\nFederal Employees and Contractors," change notice 1, March 2006, which identifies the\nPIV credential as the standard Federal identification credential. The PIV credential is\na secure identification credential that Federal employees and contractors can use to\n\n\n\n\n                                  POR OFFtEIAL t1SE ONLY                                   DODJG-2013\xc2\xb7134   I5\n\x0cFinding A                                                       FOR OFFIC!Ab USE ONLY\n\n\n\n                   gain access to federally controlled facilities and installations. According to Office of\n                   Management and Budget Memorandum 05-24, "Implementation of Homeland Security\n                   Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal\n                   Employees and Contractors," August 5, 2005, (OMB Memorandum 05-24). Government\n                   employees and contractors requiring routine physical access to an installation for greater\n                   than 6 months must receive a PIV credential.\n\n                   DoD Directive Type Memorandum (DTM) 09-012, "Interim Policy Guidance for DoD\n                   Physical Access Control;\' December 8, 2009, incorporating change 3, March 19, 2013,\n                   establishes identity vetting standards across DoD. DTM 09-012 aligns with Federal\n                   vetting standards to require that PIV-eligible contractors receive a National Agency\n                   Check with Written Inquiries background investigation prior to determining fitness.\n                   DTM 09-012 requires that contractors without a Federal PIV or DoD-issued credential4\n                   be vetted through NCIC and the Terrorist Screening Database to gain unescorted access\n                   to DoD installations and stand-alone facilities. According to DTM 09-012, these access\n                   control standards shall be implemented as resources, Jaw, and capabilities permit.\n\n\n                   Contractor Employees Enrolled in Rapidgate Received\n                   Interim Installation Access Without a Background\n                   Check\n                   CNIC policy provided contractor employees enrolled in Rapidgate interim installation\n                   access before a background check was completed. CNIC Notice 5530 allows contractors\n                   who registered with NCACS at the installation\'s Rapidgate kiosk, without a completed\n                   background check, to obtain temporary installation access for up to 28 days. For example,\n                   9 of the 10 Navy installations visated allowed temporary access to contractor employees\n                   enrolled in Rapidgate prior to completing a background check. According to installation\n                   security personnel, after registration at the installation\'s Rapidgate kiosk, contractor\n                   employees were only required to present a Rapidgate enrollment receipt to qualify for\n                   28 days of unescorted access. However, the employee\'s claimed identity was not vetted\n                   against mandatory authoritative databases. By giving contractors interim installation\n                   access bef.ore vetting them through the mandatory authoritative databases, the NCACS\n                   process and CNIC Notice 5530 violated DTM 09-012.\n\n\n\n\n                    4\n                        A DoD-issuecl credential includes the Common Access Card.\n\n\n\n\n I\n6 DODIG-2013-134                                                FEJR EJFFIEIAb ~SE EJNH/\n\x0c                                FOR OFFICIAL l.xJ9E ONLY                                          Finding A\n\n\n\n\nContractor Employees Received Credentials Without\nBeing Vetted Through Authoritative Databases\nEid Passport vetted contractor employees enrolled in Rapidgate through the use of\npublic record checks. DTM 09-012 requires an authorized Government representative to\nconduct identity-proofing and vetting of a claimed identity to determine an individual\'s\nfitness for installatjon access. Only personnel delegated by the installation commander\nshall perform access control duties, including identity proofing, vetting and determination\nof fitness, and access authorization and privileges. However, CNIC policy appointed\nEid Passport to manage the NCACS program through Rapidgate and determine the\nfitness of contractor employees for installation access. CNIC delegated to Eid Passport\nthe responsibility to collect the contractor employee\'s enrollment information and vet the\nemployee through public record databases. After Eid Passport determined the contractor\nemployee passed the public record check, Eid Passport provided Navy installations with\nthe employee\'s Rapidgate credential for issuance. Navy installation officials relied on\nEid Passport\'s adjudication of contractor employees and only validated an employee\'s\nidentity through proof of ro, such as a driver\'s license, and proof of employment to issue\nthe Rapidgate credential.\n\nIn addition, the public record databases used by Eid Passport were unreliable. Eid\nPassport acknowledged, "neither the Service Provider nor its screening providers can\nguarantee the completeness or accuracy of the data obtained," and the results of the\nchecks were subject to the reliability of the public records searched, which were not\nalways up-to-date. CNIC N3AT officials approved the Rapidga te Statement of Work and\nknowingly accepted the security risks associated with the accuracy and reliabihty issues\nof the public record! checks. CNIC N3AT officials stated performing\npublic record checks through Rapidgate improved the Navy\'s\nprevious physical access controls, which did not include                  Eid\n                                                                        Passport\nany contractor background checks.           Furthermore,            acknowledged,\nCNIC Notice 5530 states that an NCACS objective is to             "neither the Service\nenhance installation safety and security.      However,        Provider nor its screening\n                                                                providers can guarantee\ndue to the unreliable accuracy of vetting contractors\n                                                                  the completeness or\nthrough the Rapidgate system, the claimed reductions              accuracy of the data\nin security risk provided installation commanders with                 obtained,"\na false sense of security, leaving installations exposed to\npotentially hostile actions.\n\n(F8~8)   Furthermore, contractor employees obtained Rapidgate credentials that were\nactive for 1 year, regardless of the length of time a contractor required installation\naccess. According to OMB Memorandum 05-24, Government employees and contractors\n\n\n                                F~R   OFFtciAL l.xJSE ONLY                                  DODJG-2013\xc2\xb7134   I7\n\x0cFinding A                                           FOR OFFICIAL l.xJ9E ONLY\n\n\n\n                   (fQijQ) requiring routine physical access to an installation for greater than 6 months\n                   must receive a PIV credential. To obtain a PIV credential, the employee, at a minimum,\n                   must undergo a National Agency Check with Written Inquiries background investigation.\n                   The investigation provides the Government with assurance that an individual meets\n                   the fitness requirements for accessing federally controlled facilities. However, once a\n                   contractor employee enrolled in Rapidgate passed the initial Eid Passport public record\n                   check and paid the associated 1-year fee, the employee received unescorted installatmon\n                   access for 1 year. For example, a                                          contractor was\n                   required to perform deliveries on the installation with a service period of approximately\n                   1 year. To obtain installation access, the contractor\'s employees participated in NCACS\n                   and received Rapidgate credentials. However, the employees required routine physical\n                   access for greater than 6 months and should have received PIV credentials with the\n                   subsequent background investigations, as required by OMB Memorandum 05-24.\n\n                   (fQijQ) Additionally, seven Navy installations granted access to contractor employees\n                   without vetting employee identities through NCJC and the Terrorist Screening\n                   Database. DTM 09-012 requires that contractors without a Federal PIV or DoD-issued\n                   credential be vetted through the NCIC database and the Terrorist Screening Database\n                   to gain unescorted access to DoD installations and stand-alone facilities. According to\n                   DTM 09-012, Lhese vetling standards shall be implemenled as resources and\n                   cap,a bilities permit. Of 10 installations visited, 7 Navy installations did not vet all\n                   contractor employees through NCIC before issuing Rapidgate credentials and daily\n                   passes.   For example,                                    only performed local database\n                   searches to vet contractor employees obtaining daily passes. Local databases used by\n                   installations included Sex Offender RegEstration and Notification Act and local no-entry\n                   lists. Contractor employees obtaining Rapidgate credentials to access the installation\n                   received the public record checks performed by Eid Passport\'s third-party vendor.\n                   However, none of the contractor employees entering the installation were vetted\n                   against NCIC and the Terrorist Screening Database, as required.\n\n                   (F9HQ) The remaining three installations vetted all contractor employees through the\n                   NCIC database before issuing Rapidgate credentials and daily passes. For example-\n                                             had the capability to access NC IC through the Navy Region Mid-\n                   Atlantic Security Office and required all contractor employees accessing the installation\n                   to undergo an NCIC check before issuing a IRapidgate credential or a daily pass.\n                   Navy Region Mid-Atlantic Security Office personnel stated that, using NCJC, they identified\n                   contractors with felony charges not found by the Rapidgate public record checks and\n                   denied access to these contractor employees. If the installation solely relied on the\n                   public record checks, these contractors would have otherwise been granted a Rapidgate\n                   credential that facilitated unescorted installation access.\n\n\n I\n8 DODIG-2013-134                                    FeR OFFtCIAL l.xJSE ONLY\n\x0c                                fi\'eJf( eJfi\'FICIAL l-J8E eJP4LY                                     Finding A\n\n\n\n\nCNIC Attempted to Reduce Access Control Costs\nCNIC attempted to reduce its access control costs through NCACS. According to a Navy\ninst ruction, CNIC is responsible ifor providing the support and funding for the physical\nsecurity of Navy installations. To reduce CN IC\'s physical security costs, CNIC increased\ncontractor participation in NCACS by issuing NCACS policy that did not follow Federal\ncontractor employee credentialing and vetting requirements.\n\nAccording to OMB Memorandum 05-24, Government employees\nand contractors requiring routine physical access to an                       CNIC\n                                                                           restricted\ninstallation for greater than 6 months must receive a PmV\n                                                                         the number of\ncredential and undergo a National Agency Check with                 c ontractors eligible to\nWritten Inquiries background investigation. However:,              re ceive a PIV credential\nCNIC\'s NCACS implementation policy included additionam                and the subsequent\n                                                                          background\naccess requirements for contractor PIV credential                        investigations.\neligibility and increased the number of contractors eligib le\nto receive a Rapidgate credentiaL According to CNIC Notice 5530,\na contractor must require both physical access to a Navy installation and logical access\nto a Navy or DoD network to be eligible to receive a DoD PIV credential.                Since\nCNIC included the requirement for contractors to require logical access to receive\na PIV credential, CNIC restricted the number of contractors eligible to receive a\nPIV credential and the subsequent background investigations.\n\nBy restricting PlV credential eligibility requirements, CNIC increased the number\nof contractors eligible to receive a Rapidgate credential and minimized CN IC\'s costs\nto perform contractor credentialing and vetting.            According to CNIC Notice 5530,\ncontractors determined by CNIC to be ineligible for a PIV credential can only gain\nreoccurring installation access by participating in NCACS. Contractors participating\nin NCACS must pay Eid Passport to perform background vetting and create\nRapidgate credentials.   Additionally, the Rapidgate Statement of Work states that\ncontractors who participate in NCACS are only vetted using public record checks\nto obtain unescorted installation access. CNIC should discontinue the use of Rapidgate\nand any other system that exclusively uses publicly available databases to vet and\nadjudic<1te contr<1ctor employees accessing N<1vy installations and implement C:l system\nthat meets Federal and DoD requirements for background vetting using the mandatory\ndatabases.   Additionally, CN IC should revise NCACS policy to aJign with Federal\nand DoD contractor vetting and credentialing requirements to provide contractors\nwith the required credentials and background investigations.\n\n\n\n\n                               FEJR EJFFIEIAb ~SE 8P4LY                                        DODJG-2013\xc2\xb7134   I9\n\x0cFinding A                                       FOR OFFIC!Ab USE ONLY\n\n\n\n                Installation Personnel Did Not Have Appropriate\n                Resources to Conduct Background Checks\n                CNIC did not provide 7 of 10 Navy installations visited the appropriate resources and\n                cap,a bilities to conduct mandatory NCIC and Terrorist Screening Database checks. DoD\n                DTM 09-012 requires contractors without a Federal PIV or DoD-issued credential to be\n                vetted through authoritative databases before granting unescorted installation access,\n                as resources and capabilities permit.    DTM 09-012 states installation Government\n                representatives must query NCIC and the Terrorist Screening Database to vet and\n                determine the fitness of a contractor employee. According to a Navy instr uction, CNIC\n                is responsible fo r providing the support and funding for the physical security of Navy\n                installations.\n\n                (FQWQ) Of the 10 Navy installations visited, 7 did not have access to NCIC and the\n                Terrorist Screening Database to properly vet all contractor employees. CNIC N3AT\n                officials stated that they provided installations fund ing to perform NCIC and Terrorist\n                Screening Database checks.      However, installation security personnel stated the\n                installations lacked the resources or capability to conduct NCIC and Terrorist\n                Screening Database checks on all contractor employees.        For example, installation\n                security personnel at\n                stated they did not have the resources to screen every contractor employee through\n                NCIC before issuing a Rapidgate credential or daily pass. The installation also did\n                not have the capability to access the NCIC database. Additionally, installation security\n                personnel at                                         did not have the capability to\n                access NCIC.     Specifically, personnel stated that they did not have NCIC terminals\n                at the installation to connect to the NCIC database. See Table 1 on page 11 for an\n                installation breakdown of contractor vetting through NCIC and the Terrorist Screening\n                Database. CNIC should provide the seven installations identified with the resources\n                and capabilities to access NCIC and the Terrorist Screening Database to vet contractors\n                requesting access to Navy installations. Furthermore, CNIC should establish a process to\n                identify which remaining Navy installations need resources and capabilities to conduct\n                NCIC and Terrorist Screening Database checks before granting contractor employees\n                installation access.\n\n\n\n\n  I\n10 DODIG-2013-134                               FOR OFFlEIAL USE ONhY\n\x0c                                 FOR OFFICIAL (.ooJ9E OHLY                                     Finding A\n\n\n\nfF9H\xe2\x82\xacJj Table 1. Installation Contractor Vetting Through NCIC and the Terrorist Screening\nDatabase\n\n\n\n\nMilitary and Civilian Personnel Placed at Security Risk\nThere were 52 convicted felons who received routine access to Navy\ninstallations even though their felony convictions occurred\n                                                                        There were\nbefore they were issued a Rapidgate credential. This placed            52 convicted\nmilitary personnel, dependents, civilians, and installations at         felons who\nan unacceptable level of safety and security risk. Although          received routine\n                                                                      access to Navy\nCNIC N3AT officials claimed NCACS increased installation               installations.\nsecurity over the previous approach of providing no contractor\nemployee background checks, NCACS provided installation\ncommanders with a false sense of security. Contractor employees\nwith prior felony convictions received Rapidgate credentials without the knowledge\nand approval of the installation commander. Eid Passport public record checks showed\nthat 53 individuals failed a renewal or periodic check. Of the 53 public record checks,\n52 contractor employees were aHowed installation access before Eid Passport identified\ntheir felony convictions, even though their felony convictions occurred before the\ncontractor was issued a Rapidgate credential. The felony convictions were not identified\nduring the initial Rapidgate public record checks, even though the felonies identified\noccurred an average of 13 years: prior to passing the initial Rapidgate screening. The\nremaining public record check was a renewal check that identified the individual had a\n\n\n\n\n                                 FOR OFFICIAL (.ooJSE ONLY                              DODIG-2013-134   Ju\n\x0cFinding A                                             FOR OFFIEL\'tb HSE ONbY\n\n\n\n                Social Security Number that was invalid, belonged to a deceased person, was listed in a\n                Tme Name Fraud Alert, or belonged to another individual. However, this Social Security\n                Number issue was not identified on the initial Eid Passport public record check. and the\n                individual had installation access for 345 days before this issue was identified. In every\n                CNIC region we visited, we identified contractors enrolled in Rapidgate who were given\n                installation access before felony convictions were identified. See Table 2 for a regional\n                breakdown.\n\n                Table 2. Rapidgate Contractors Accessing Navy Installations with Previously Unidentified\n                Felonies\n\n                                                                                           Rapidgate Contractors\n                                                                                              with Previously\n                                                                                           Unidentified Felonies\n                                                                 Number of Installations   Accessing Installations\n                                   CNIC Navy Region                    Visited                    Visited\n\n                    Navy District Washington                                2                         1\n                    Mid-Atlantic                                            2                        12\n                    South East                                              2                         8\n\n                    Midwest                                                 1                        15\n                    North West                                              1                         6\n                    South Wesl                                              2                        10\n                     Total                                                 10                       52\n\n\n\n\n                For example, one contractor employee was first issued a Rapidgate credential in June 2009.\n                According to the public record check performed by Eid Passport\'s third-party vendor, the\n                employee failed a Rapidgate renewal check in April 2012, based on a felony conviction\n                for "conspiracy to distribute.-.cocaine base." This felony conviction occurred in 2000 but\n                was not identified by Eid Passport\'s check until the employee failed the renewal check in\n                April 2012. This contractor employee had unes-corted access to a Navy installation for\n                1,035 days before the felony conviction was identified. Furthermore, another contractor\n                employee was issued a Rap idgate credential in October 2011 and failed a periodic public\n                record check in January 2012. The individual failed the public record check based on a\n                felony conviction of "indecent liberties with a child" that occurred in 1987. Before the\n                felony was identified, the contractor employee had 91 days of unescorted access to a\n                Navy installation. Given that child development centers, schools, and family housing are\n                located on many Navy installations, accurate vetting of contractor employees is essential\n                to ensure the safety of children on Navy installations.\n\n\n\n\n  I\n12 DODIG-2013-134                                     FEJR EJFFIEIAb HSE EJPH:Y\n\x0c                                                FOR OFFIC!Ab USE ONLY                                                  Finding A\n\n\n\nAdditional examples of unidentified felony convictions in the public record checks\nincluded drug possession, assault, theft, and throwing a missile5 at an occupied\nvehicle. Installation commanding officers were unaware that the Rapidgate system had\ngranted contractor employees with prior fe~ony convictions reoccurring access to their\ninstallations. The prior felony convictions should have been identified by the initial\npublic record checks performed on these employees. Instead, the felonies were not\nidentified until subsequent Rapidgate public record checks, such as annual renewals\nand periodic checks, were performed by Eid Passport\'s third-party vendors. Therefore,\nCNIC N3AT provided installation commanders with a false sense of security by\nknowingly accepting the security risks associated with public record databases that were\nnot all "up-to-date, complete, accurate, or available."\n\n\nNaval Criminal Investigative Services Concerned with\nAccuracy and Reliability of Rapidgate\n(~Q\\JQ)       According to Naval Criminal Investigative Services Headquarters officials,\nthe Naval Criminal Investigative                                                 Field Office expressed concern\nwith the accuracy and reliability of Rapidgate background vetting. The Naval Criminal\nInvestigative Services -                               Field Office identified multiple criminal incidents,\nsuch as convictions for cocaine distribution, associated w ith Rapidgate contractor\nbackground vetting and initiated an inquiry into the Rapidgate operations at the\n                                           Based on the identified incidents, the special agent leading\nthe inquiry contacted SecurTest, one of the third-party background screener.s used by\nEid Passport. The agent requested that SecurTest provide details on how background\nvetting is accomplished for non-DoD applicants participating in Rapidgate. According\nto the special agent, SecurTest allegedly queried the applicants against sex offender\nregistries and Clerk of the Court records in the locations the                           app~icant   disclosed to\nhave resided. Thus, according to the special agent, the background vetting is not\nnationwide and solely relles on the integrity of application information. Naval Ctirninal\nInvestigative Service~ Field Office personnel stated that they plan to run over\n3,000 Rapidgate cardholders through NCIC to determine whether any convicted felons\nwere undetected and granted installation access.\n\n\nManagement Comments on the Report\nThe Department of the Navy, through the Deputy Under Secretary of the Navy (Plans, Policy,\nOversight, and Integration), consolidated the management comments from the Director,\n\n\n 5\n     A missile is any object thrown or projected, such as a stone or a bullet.\n\n\n\n\n                                                FSR 8FFIEIAb ~SE 8NLY                                           DODIG-2013-134 J B\n\x0cFinding A                                       FOR OFFIC!Ab USE ONLY\n\n\n\n                Program Analysis and Business Transformation and Director, Services Acq uisition, Office\n                of the De puty Assistant Secretary of the Navy (Acquis ition a nd Procurement); Director,\n                Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics) ;\n                Deputy Commander, Navy Installations Command; and Associate Director of Contracts,\n                Naval Sea Systems Command regarding our recommendations:. CNIC requested further\n                discussion on the d isposition of Recommendations A.1 - A.3 and Recommend ation C.3.\n                We held discussions with CNIC and considered those discussions in the final preparation\n                of our repor t.\n\n\n                Recommendations, Management Comments, and Our\n                Response\n                Recommendation A.l.\n                We recommend the Commander, Navy Installations Command, immediately\n                discontinue the use ofRapidgate and any other system that exclusively uses publicly\n                available databases to vet and adjudicate contractor employees access ing Navy\n                installations, and replace it with a system or process that meets Federal and DoD\n                requirements for background vetting.\n\n\n                Commander, Navy Installations Command Comments\n                The Deputy Commander, Navy Installations Command, responding for the Commander,\n                Navy Installations Command, disagreed with the recommendation.                 The Deputy\n                Commander stated NCACS standards meet Federal and DoD requirements for background\n                vett ing and that the Navy currently conducts NC IC checks and final credential issuance.\n                Additionally, the Deputy Commander stated that prior to accepting a commercial\n                credential source for NCACS, the credentialing firm must demonstrate full compliance\n                with Federal, DoD, and Navy standards, including DTM 09-012. Finally, the Deputy\n                Commander stated that discontinuing NCACS will ensure long li nes at Navy access points,\n                resulting in productivity loss for contractors doing business on Navy installations, and\n                would require hiring additional civil servants to work in base pass offices.\n\n\n                Our Response\n                Comments from       the Deputy Commander,         Navy Installations Command, were\n                nonresponsive.     NCACS is administered by a commercial credentialing source,\n                Eid Passport, which uses Rapidgate to vet contractor employees accessing Navy\n                installations. As noted in our dlraft report, Rapidgate relies exclusively on unreliable\n                public remrd databases.         CNIC N3AT\'s Program Director acknowledged that\n\n\n\n\n  I\n14 DODIG-2013-134                               FOR OFFIEUrb USE ONLY\n\x0c                                 FOR OFFIC!Ab USE ONLY                                              Finding A\n\n\n\nEid Passport does not have the capability to perform NCIC checks, and that Navy\ninstallation s should be performing an NCIC check prior to providing contractors an\nNCACS credential. Also, as noted in our draft report, not all installations had access to the\nNCIC database_ Since Eid Passport does not have the capability to perform NCIC checks\nto vet contractor employees, and not all Navy installations nave the ability to access\nNCIC, NCACS is not fully compliant with DoD background vetting standards outlined in\nDTM 09-012.\n\nAdditionally, the Deputy Commander stated that if NCACS was discontinued, additional\ncivil servants would need to be hired to work at the base pass offices. However, Navy\nRegion Mid-Atlantic successfully used only three full-time employees to administer NCIC\nscreenings for all contractors accessing 15 Navy installations. Navy Region Mid-Atlantic\npersonnel reported that the NCIC checks resulted in the identification of and subsequent\ndenial of installation access fo r felons not identified by Rapidgate. Therefore, based on\nRapidgate\'s unreliable public record checks, Rapidgate could be eliminated resulting in\npotential cost savings for the Navy. We request that the Commander, Navy Installations\nCommand, r econsider the recommendation and provide additional comments on the\nfinal report.\n\n\nRecommendation A.2.\nWe recommend the Commander, Navy Installations Command, revise\nInstruction 5530.14, "CNIC Ashore Protection Program," July 7, 2011, and\nNotice 5530, "Navy Commercial Access Control System Within Continental\nUnited States Regions. Navy Regi.on Hawaii, and Joint Region Marianas,"\nJuly 5, 2012, to require contractor employees requiring routine physical access\nto Navy installations for greater than 6 months receive the DoD Personal\nIdentity Verification credential with the National Agency Check with\nWritten Inquiries.\n\n\nCommander, Navy Installations Command Comments\nThe Deputy Commander, Navy Installations Command, responding for the Commander,\nNavy Installations Command, disagreed with the recommendation.                 The Deputy\nCommander stated CNIC is following DoD and congressional guidance to accept identity\ncredentials from non-Federal issuers.      The Deputy Commander stated that CNIC\'s\nunderstanding of current policy is that both requirements-physical access to an\ninstallation for greater than 6 months and logical access to the Navy\'s networks-must\nbe met for receipt of a Common Access Card. Additionally, the Deputy Commander stated\nNCACS vetting combined with the NCIC checlk encompasses those checks conducted via a\nNational Agency Check with Written Inquiries.\n\n\n                                 FOR OFFICIAL USE ONhY                                      DODIG-2013-134 J 1s\n\x0cFinding A                                         FOR OFFIC!Ab USE ONLY\n\n\n\n                 Our Response\n                 Comments from the Deputy Commander, Navy Installations Command, were\n                 nonresponsive. If it was the Deputy Commander\'s intent to indicate compliance with DoD\n                 and Congressional guidance by accepting Personal Identity Verification Interoperable\n                 (PIV-1) credentials from non-Federal issuers as an alternative to issuing PIV credentials,\n                 then we disagree. As noted in our draft report, OMB Memorandum 05-24 states that\n                 Government employees and contractors requiring routine physi.cal access to an\n                 installation for greater than 6 months must receive a PIV cred ential. According to the\n                 Federal Chief Information Officer Council, "Personal Identity Verification Interoperable\n                 Frequently Asked Questions," June 28, 2010, agencies cannot accept PIV-1 cards issued\n                 by a contractor\'s company in lieu of issuing PIV cards to those individuals. Specifically,\n                 "individuals who fall within the applicability of HSPD-12, including Federal contractors\n                 requiring routine access to Federally-controlled facilities or Federally-controlled\n                 information systems for a period of time greater than 6 months, must continue to be\n                 issued PIV cards by the Federal Government." The Office of Personnel Management issued\n                 "Final Credentialing Standards for Issuing Personal Identity Verification Cards under\n                 HSPD-12," July 31, 2008, which provides Government-wide PIV credentialing standards\n                 for employees and contractor personnel. A senior program analyst, speaking on behalf of\n                 the Office of Personnel Management\'s Federal Investigative Services Division, confirmed\n                 that contractor personnel requiring only routine physical access to federally controlled\n                 faci.lities for greater than 6 months are required to be issued a PIV credential. Therefore,\n                 CNIC should issue PIV credentials, not Rapidgate credentials, to contractor employees\n                 who only require routine physical access to Navy installations for greater than 6 months.\n\n                 Additionally, the Deputy Commander stated that NCACS vetting combined with the NCIC\n                 check encompasses those checks conducted via a National Agency Check with Written\n                 Inquiries. However, as noted in our draft report, the public record databases used by Eid\n                 Passport were unreliable, and OM 8 Memorandum 05-24 states employees and contractors\n                 must undergo a National Agency Check with Written Inquiries background        investigat~on\n\n                 to obtain a PIV credential. We request that the Commander, Navy Installations Command,\n                 reconsider the recommendation and provide additional comments on the final report.\n\n\n                 Recommendation A.3.\n                 We recommend, the Commander, Navy Installations Command:\n\n\n\n\n16 1DODIG-2013-134                                FEJR EJFFIEIAb ~SE EJNLY\n\x0c                                 FOR OFFICIAL l.xJ9E ONLY                                        Finding A\n\n\n\n           fFQYQ).                    the resources and capabilities needed\n           to access National Crime Information Center and the Terrorist\n           Screening Database.\n\n        b. Establish a process to identify which instaUations need resources\n           and capabilities to access the National Crime Information Center and\n           the Terrorist Screening Database for contractor background vetting\n           and provide Installation Commanders with needed resources and\n           capabilities.\n\nCommande~ Navy Installations Command Comments\nThe Deputy Commander, Navy Installations Command, responding for the Commander,\nNavy Installations Command, disagreed with the recommendation.                  The Deputy\nCommander stated CNJC already provides access control resources and capabilit ies\nto Navy installations. The Deputy Commander stated Navy installations are generally\nNCIC-capable, and NCACS is in the process of attaining even greater and more-faci litated\nNCIC access through process improvements.           Furthermore, the Deputy Commander\nstated that the Inspector General\'s conclusions regarding NCJC-check capability of Navy\ninstallations were based upon interviews of persons who did not have full knowledge of\nthe system, such as gate guards who are not responsibiP. for cr~>dentia Iing.\n\n\nOur Response\nComments from        the Deputy Commander,          Navy   Installations Command, were\nnonresponsive. As noted in our draft report, of the 10 Navy installations visited, 7 did\nnot have access to the NC IC database. Furthermore, during our audit, N3AT\'s Program\nDirector acknowledged that not all Navy installations were performing NCIC checks\nprior to providing the NCACS credential to contractor employees. NCACS credentials\nprovide contractors the ability to gain unescorted installation access. As noted in our\ndraft report, DoD DTM 09-012 requires contractors without a Federal PIV to be vetted\nthrough the NCIC database to gain unescorted access to DoD installations. Given that\nthe DoD DTM 09-012 established the NCIC check requirement in December 2009, the\nrequired NCIC capability should already be established at all Continental United States\nNavy installations. Additionally, our report findings and conclusions regarding NCIC\ncheck capabilities were based upon interviews with and documentation obtained from\ninstallation security officers, security directors, physical security specialists, access\ncontrol officers, and N3 operations officers who were fully knowledgeable regarding the\nstat:us of their installation physical security and access control capabilities. We request\nthat the Commander, Navy Installations Command. reconsider the recommendation and\nprovide ad ditional comments on the final report.\n\n\n\n                                 FOR OFFICIAL l.xJSE ONLY                                 DODIG-2013-134 J 17\n\x0cFinding B                                        FOR OFFIC!Ab USE ONLY\n\n\n\n\n                 Finding B\n                 NCACS Projected Costs Not Supported\n                 CNEC N3AT misrepresented projected costs to operate NCACS as a no-cost, low-cost\n                 solution. This occurred because CNIC NJAT d id not perform a comprehensive BCA\n                 and issued policy that prevented transparent accounting for actual NCACS costs. As a\n                  result, the Navy is unable to account for actual NCACS-related charges from contractor\n                 companies. For example, we found that the !Navy has incurred NCACS-related charges of\n                 at least $1.2 8 million for 17 of the 30,702 contractor companies enrolled. Additionally,\n                 other DoD Components located on Navy-controlled installations and joint bases may be\n                 inadvertently absorbing the costs of NCACS.\n\n\n\n                 Costs Not Identified or Pr,o perly Represented\n                 CNEC N3AT misrepresented the projected costs incurred by the Navy to operate NCACS.\n                 CNEC N3AT marketed NCACS to DoD and the Navy as a no-cost,\n                 low-cost access control solution. CNIC N3AT officials claimed\n                  NCACS was Jow-cost because fees paid by the par ticipating               During\n                                                                                        t he initial\n                 contractors would serve as the primary source of revenue\n                                                                                    implementation\n                 for the service provider, Eid Passport. According to                of NCACS, Navy\n                 CNEC N3AT, t he costs borne by the Navy for NCACS were          Co mmands exp resse d\n                                                                                   concern over the\n                  limited to providing phone lines, electrical power, and\n                                                                                 po ssible cost impact s\n                 space for Rapidgate kiosks. However, during the initial            associated with\n                  implementation of NCACS, Navy Commands expressed                        NCACS.\n                 concern over the possible cost impacts associated with NCACS.\n\n                 At the request of t:he Shore Readiness Division (OPNAV N46), the Naval Air Systems\n                 Command (NAVAIR) and Naval Supply Systems Command (NAVSUP) conducted cost\n                 analyses and impact assessments for NCACS implementation.             Both the NAVSUP\n                  memorandum, "Cost Analysis and Impact of RAPIDGatejNavy Commercial Access\n                 Control System (NCACS) Implementation;\' November 18, 2011, and the Naval Air Systems\n                 Command, "NAVAIR Cost Analysis and ImpactofRAPIDGatejNCACS," November 21,2011.\n                 concluded that the cost reportedly absorbed by contractors to obtain Rapidgate credentials\n                 a re transferred back to the Navy in the form of h igher contract overhead costs and other\n                 contract fees. Additionally, NAVSUP performed a detailed cost analysis comparing NCACS\n                 and Common Access Cards, concluding NCACS credentials could potentially cost 10 times\n                 as much as Common Access Cards over a 10-year period. Furthermore, one contractor\n\n\n\n\n18 1 DODIG-2013-131                              r~R ~FFIEIAL   M8E   ~NLY\n\x0c                                FOR OFFIC!Ab USE ONLY                                            Finding 8\n\n\n\nworking on the Joint Strike Fighter program stated it planned to increase the cost of its\ncontract approximately $1 million annually over a 5-year period! as a result ofNCACS. Due\nto potential increased contract costs and the nature of the Joint Strike Fighter program,\nthe program officials determined! the contractor employees were eligible for issuance of\nCommon Access Cards as authorized under DoD policy.\n\n\nCNIC Cost Claims Unreliable and Unsubstantiated\nCNIC N3AT\'s low-cost claims were unreliable because CNIC N3AT did not perform a\ncomprehensive BCA and were unsubstantiated because they issued policy preventing\ntransparent accounting of NCACS costs. CNIC N3AT did not perform a comprehensive\nBCA in response to the Shore Readiness Division (OPNAV N46) request for cost\nanalyses and impact assessments of NCACS. In November 2011, the Program Director,\nCNIC N3AT, conducted an NCACS !BCA that concluded CNJC would realize a cost avoidance\nexceeding $295 million over 5 years by utilizing the Rapidgate system.           However,\nCNIC N3AT\'s BCA did not meet the BCA requirements contained in the Department of\nthe Navy Chief Information Officer Memorandum, "Required Use of T he Department of\nThe Navy (DON) Enterprise Information Technology Standard Business Case Analysis\n(BCA) Template," june 30, 2011. The Department of the Navy BCA template includes\nperformance measures (baseline, target, and goal), operational impact, financial costs,\nand savings projections based on an approved methodology. However, CNIC N3AT\'s\nBCA did not include all the elements required by the Department of the Navy\nMemorandum. For example, CNIC N3AT did not include a financial analysis of net present\nvalue, break-even point, benefit cost rat io, and financial return on investment over the\nlife of the program in its BCA. Furthermore, CNIC N3AT\'s BCA analysis did not include\nany non-financial benefits and risks associated with NCACS, such as interoperability,\nefficiency, and reliability of the system. The Director, Shore Readiness, Deputy Chief of\nNaval Operations (Fleet Readiness and Logistics), as the resource sponsor for CN JC, should\nperform an independent BCA for NCACS in accordance with the Department of Navy\nChi\xc2\xb7e f Information Officer requirements and determine the most efficient way forward.\n\nAdditionally, CNIC N3AT officials claimed that NCACS was a low-cost solution because\nfees paid by the participating contractors would serve as the primary source of revenue\nfor the service provider. Despite lacking authority to direct the contract management of\nother Navy commands, CNIC N3AT issued policy that prevented contractors from directly\ncharging Navy contracts for NCACS, which hindered accounting of actual program costs.\nCNIC issued Notice 5530, "Navy Commercial Access Control System Within Continental\nUnited States Regions, Navy Region Ha waii, and joint Region Marianas," July 5, 2012,\nrequesting that all contracts involving physical access to Navy insta llations include a\n\n\n\n\n                                F~R ~FFlCIAL   USE   ~NLY                                 DDODEG\xc2\xb72013-134 19\n\x0cFinding B                                           FOR OFFIE:Utb HSE OPH::Jl\n\n\n\n                    provision that costs incurred by the contractor to obtain Rapidgate credentials are not\n                    reimbursable as a direct cost to the Navy. However, CNIC Notice 5530 does not prohibit\n                    contractors from indirectly charging for Rapidgate     credentia~ s.   reducing the visibility\n                    of NCACS costs. CNIC N3AT officials acknowledged that costs would be borne by the\n                    Navy component in indirect contract costs.\n\n                    Furthermore, CNIC Instruction 5530.14, "CNIC Ashore Protection Program," July 7, 2011,\n                   "applies NCACS requirements to all Navy facilities and non-Navy organizations p hysically\n                    located on or aligned to U.S. Navy-controlled installations." DoD Components located\n                    on Navy-controlled installations and joint bases that wish to have contractors receive\n                    routine physical access without the hindrance of a daily pass are required to enroll in\n                    Rapidgate. However, these DoD Components are not subject to the provision requiring\n                    them to disallow contractors to charge for Rapidgate credentials. Therefore, other DoD\n                    Components located on Navy-controlled installations and joint bases could be directly\n                    or indirectly charged for NCACS participation. Because CNIC is not authorized to direct\n                    commercial vendor contractmanagemen tforother Navy Commands and DoD Components,\n                    the Assistant Secretary of the Navy (Research, Development, and Acquisition) should\n                    review NCACS contract language concerning reimbursement of NCACS or Rapidgate\n                    credential costs and take appropriate action.\n\n\n                    NCACS Costs are Unknown\n                    CNIC N3AT was not able to account for, or adequately project, NCACS costs to the\n                    Navy. In its current state, the costs associated with NCACS are unknown but could be\n                    exorbitant. For example, contractors charged the Navy indirectly for costs incurred to\n                    participate in the NCACS program. We identified 17 contra ctors\n                    that charged the Navy over $1.28 million for costs incurred              We\n                   to purchase Rapidgate credentials through overhead                     identified\n                                                                                      17 contractors that\n                    or other indirect charges. See Appendix B for more              charged the Navy over\n                    information on the evaluation of the 17 contractors             $1.28 million for costs\n                   and associated cost. According to the NAVSUP cost                 incurred to purchase\n                                                                                    Rapidgate credentials\n                   analysis completed in November 2011, the NCACS\n                                                                                     through overhead or\n                    program had 9,657 companies and 64,924 contractor                   other indirect\n                    employees enrolled. NAVSUP concluded that Eid Passport                 charges.\n                   as the sole NCACS service provider was potentially earning\n                    between $12 and $15 million annually for Rapidgate services provided to the Navy, which\n                    coll!ld be charged back to the Navy as indirect costs. According to CNIC N3AT\'s "NCACS\n                    In Action" report dated March 1, 2013, there were 30,702 companies enrolled with\n                    298,204 NCACS participants. As of March 2013, NAVSUP concluded that Eid Passport\n\n\n\n\n20   I DODIG-2013-131                               F~R ~FFIEIAL    M8E   ~NLY\n\x0c                                 FOR OFFICIAL l.xJ9E ONLY                                       Finding 8\n\n\n\nwas realizing annual revenue of at least $53 million which could be indirectly charged\nback to the Navy. Therefore, the Navy spent an unknown amount of funds while possib ly\ntaxing other DoD Components to pay for NCACS, a system that provides weak security\nas discussed in Finding A with no valid contractual coverage as discussed in Finding C.\nHowever, until the Navy receives agreement fmm other DoD Components and adjusts\npoliicy to adequately address those possilbly affected by the implementation of NCACS, the\nNavy will be unable to ensure non-Navy tenant activities and MWtary Services located on\nNavy-controlled installations and joint bases do not inadvertently fund NCACS.\n\n\nRecommendations, Management Comments, and Our\nResponse\nRecommendation 8.1.\nWe r ecommend the Assistant Secretary of the Navy (Research, Development, a nd\nAcquisition}, review the use of Navy Commercial Access Control System/Rapidgate\ncontra ct language concerning contractor reimbursement and take appropriate\naction, if necessary.\n\n\nAssistant Secretary of the Navy (Research, Development, and\nAcquisition) Comments\nThe   DirectoJ~   Program Analysis and Business Transformation and Director, Services\nAcquisition, Office of the Deputy Assistant Secretary of the Navy (Acquisition and\nProcurement), responding for the Assistant Secretary of the Navy (Research, Development,\nand Acquisition), agreed with the recommendation. The Director stated he will initiate\nand complete a review of the Navy Commercial Ac-cess Control SystemjRapidgate\ncontract language to ensure contract language is consistent with the Federal Acquisition\nRegulation (FAR) Subpart 31.2 by October 25, 2013. The Director stated he will take\nappropriate action based on the review.\n\n\nOur Response\nComments from the Director were responsive, and no further comments are required.\n\n\nRecommendation 8.2.\nWe recommend the Director, Shore Readiness, Deputy Chief of Naval Operations\n(Fleet Readiness and Logistics):\n\n\n\n\n                                 FOR 8FFIEIAb ~SE ONLY                                   DDODEG\xc2\xb72013-134 21\n\x0cFinding B                                           FQR 8FFICh\'d:: t;"!3E 8P4LY\n\n\n\n                            a . Obtain an independent compre hensive business case analysis for the\n                               Navy Commercial Access Control System in accordance with Department\n                               of the Navy Chief In formation Officer Memorandum "Required Use of\n                               Department of the Navy (DON) Enterprise Information Technology\n                               Standar d Business Case Analysis (BCA) Te mplate," based on an approved\n                               m ethodology such as the Economic Viability Tool, and\n\n                            b. Determine the way forward for contractor installation access based on\n                               the findings of the independent, comprehensive business case analysis.\n\n                   Directo"\' Shore Readiness, Deputy Chief of Naval Operations\n                   (Fleet Readiness and Logistics) Comments\n                   The Director, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and\n                    Logistics), agreed with the recommendation.        The Director stated the Commander,\n                    Navy Installations Command, has requested that the Director, Assessments Division\n                    (OPNAV N8 1), provide an expedit,e d independent verification and validation of the NCACS\n                    BCA. Additio nally, the Director stated OPNAV N46 will work with the Assistant Secretary\n                    of the Navy ( Financial Management and Comptroller), OP NAV N81, CNIC, and other Navy\n                   stakeholders to review, validate, and ad just for mat/template accordingly to ensure the\n                    completed! BCA fully complies with the DoD Inspector Genera l\'s requiremen ts.\n\n\n                   The Director stated if fo!Jow-on actions are required as determined by the BCA, then\n                    OPNAV N46 will work w ith CNIC to ensure development of consistent policies and\n                    procedures across a ll Navy regions for contractor installation access control. The Director\n                   stated, at a minimum, the policies and procedures will provide reciprocity for contractors\n                   with existing federa lly sponsored background investigations. Finally, the Director stated\n                    CNIC, with OPNAV N46 oversight , will a lso work with Echelon II commands to create a\n                    visitor co nt rol process that complies with DoD and Dep artment of the Navy installation\n                   security standards.\n\n\n                   Our Response\n                    Comments from the Director were responsive, and no further comments are required.\n\n\n\n\n22   I DODIG-2013-131                               FSR SFFICIAb H!3E 8Nb\\\'\n\x0c                                 FOR OFFIEL\'tb HSE ONLY                                       Finding C\n\n\n\n\nFinding C\nCNIC Circumvented Competitive Contracting\nRequirements\nThe CNIC N3AT Program Director, N3AT Assistant Program Managers for physical security,\nand the Naval District Washington Chief Information Officer, circumvented competitive\ncontracting requirements, using two different contracting offices and inappropriate\ncontracting methods to implement and execute NCACS. Specifically, CNIC N3AT:\n\n        \xe2\x80\xa2 directed a prime contractor, in October 2011, and September 2012, to enter\n           i.nto unauthorized commitments for out-of-scope work;\n\n        \xe2\x80\xa2 restricted full and open competition; and\n\n        \xe2\x80\xa2 allowed Eid Passport to continue providing services since November 1, 2012,\n           without a contract.\n\nThis occurred because CNIC N3AT did not have contracting authority and developed a\nCOC as an administrative approach to maintain a relationship with Eid Passport. As a\nresult. the Navy expended $1,179,299 in disallowable costs for Eid Passport\'s services\nand equipment. Furthermore, CN\'IC N3AT lacked oversight of, and legal recourse against,\nEid Passport should Eid Passport fail to meet the requirements for implementing the\nNavy\'s identity management and perimeter installation access control solution.\n\n\n\nContractor Competition is Required\nThe Competition in Contracting Act of 1984 requires agencies to obtain full and open\ncompetition using competitive procedures in their procurement activities, unless\notherwise authorized by Jaw. Contracts awarded using full and open competition permit\nall prospective contractors that meet certain criteria to submit proposals. Agencies are\ngenerally required to perform acquisition planning and conduct market research to\npromote and provide for full and open competition.\n\n\nRapidgate Procurement History\nAccording to the "Navy Marine Corps Acquisition Regulation Supplement (NMCARS),"\njanuary 2013, CNIC does not have contracting authority and is required to obtain\ncontractual coverage from the appropriate Head of Contracting Activity depending on\nthe type of procurement. Due to CNIC\'s lack of contracting authority, a Government\n\n\n\n\n                                 FOR OFFICIAL !:tSE ONhY                               DODIG-2013-134   I 23\n\x0cFinding C                                                     FOR OFFICIAL        ~!3E   8NLY\n\n\n\n                Purchase Card (GPC) is the only contractual vehicle available to CNIC that does not require\n                formal procurement support.\n\n                In April20 10, CNIC N3ATpurchased seven, 1-year Rapidgatesystemsubscriptions totaling\n                $2,499.49, using a CN IC GPC, with NAVSUP-delegated contracting authority, from the\n                General Services Administration schedule. According to the NAVSUP Instruction 4200.99,\n                "Department of the Navy (DON) Policies and Procedures for the Operation and\n                Management of the Government-Wide Commercial Purchase Card Program (GCPC),"\n                October 13, 2006, the GPC shall be used to make open market purchases for supplies\n                and services not to exceed $2,500. The General Services Administration purchase order\n                forms indicated that the price for seven Rapidgate subscriptions was $3,059.00. However,\n                CNIC requested and was grantedl a price change authorization which resulted in a final\n                price of $2,499.49,$0.51 below the micro-purchase threshold. In April2011, CNIC N3AT\n                renewed the seven Rapidgate system subscriptions totaling $2,499.49 for an additional\n                year using the same GPC methodology on another individual\'s GPC. However, the April\n                2011 purchase order was canceled in October 2011 due to objections from NAVSUP\n                regarding the contractual manner in which Rapidgate services were acquired.\n\n\n                Prime Contractor Directed to Enter Into Unauthorized\n                Commitments\n                Without contracting authority, CNIC N3AT officials, with\n                assistance from the Naval District Washington Chief                                      CN IC N3AT\n                                                                                                     officials ...directed\n                Information Officer, directed a prime contractor,                                  a prime contractor, 3e\n                3e Technologies International (3eTI), to enter into                             Tech nologies International,\n                unauthorized commitments totaling $1,179,299                                    to e nter into unauthorized\n                                                                                                  c ommitments total ing\n                without obtaining approval from the contracting\n                                                                                                    $1,179,299 w ithout\n                officers.         According to the Federal Acquisition                           ob taining pr ior approval\n                Regulation (FAR) 43.102(a)(3), only contracting                                     from the contracti ng\n                officers can direct or encourage the contractor to                                         officers.\n\n                perform work. However, CNIC officials directed 3eTt\n                personnel to subcontract for Eid Passport services and equipment on two unrelated\n                contracts awarded by Naval Sea Systems Command contracting offices.\n\n                In October 2011, 3eTI subcontracted with Eid Passport to purchase eight Rapidgate\n                system subscriptions valued at -                              under a contract awarded by Naval Surface\n                                                                      6\n                Warfare Center (NSWC) Panama City.                        The accompanying Statement of Work between\n\n\n                    6\n                        Contract No. N61331-08-D-0043 Delivery Order 0006 was awarded by NSWC Panama City on Aprill3, 2011.\n\n\n\n\n  I\n24 DODIG-2013-134                                             F8R 8FFIEIAb ~!3E 8P4LY\n\x0c                                          FOR OFFIC!Ab USE ONLY                                                 Finding C\n\n\n\n3eTI and Eid Passport provides for the installation of Rapidgate at all Navy installations in\nthe Continental United States, Hawaii, and Marianas. However,3eTI\'s contract with NSWC\nPanama City for the Navy-Wide Virtual Perimeter Monitoring System was restricted to the\ndevelopment and demonstration of an interface capability at installations in Naval District\nWashington. The contract did not include provisions for installation and ma\xc2\xb7intenance\not\' Rapidgate at all Navy installations in the Continental United States, Hawaii, and joint\nRegion Marianas. Additionally, NSWC Panama City contracting personnel stated they\nwere unaware of the 3eTI subcontract with Eid Passport. Therefore, 3eTI\'s subcontract\nwith Eid Passport was an unauthorized commitment for out-of-scope work that would\nnormally require use of competitive contracting p rocedures. The Chief of Contracting at\nNSWC Panama City should review the 3eTI subcontract and determine whether the costs\nshould be disallowed and recouped in accordance with FAR 42.8, "Disallowance of Costs,"\nor if ratification actions may be appropriate in accordance with FAR 1.602-3,\n"Ratification of Unauthorized Commitments." After the review is completed, the Chief of\nContracting should take the appropriate contracting actions.\n\nFurthermore, on September 27, 2012, 3eTI subcontracted with Eid Passport to\npurchase Rapidgate proprietary handheld scanners, valued at -                                on a contract\n                                             7\nawarded by NSWC Port Hueneme. This subcontract was initiated by the Naval District\nWashington Chief Information Officer at the direction and request of CNIC N3AT officials\nwithout working through the procuring contracting officer. However, 3eTI\'s contract\nawarded by NSWC Port Hueneme was for the design, development, integration test, and\nimplementation of the Critical Infrastructure S\xc2\xb7e nsor Network and it did not include\nprovisions for the purchase of handheld scanners. Additionally, the NSWC Port Hueneme\ncontracting officer was unaware of the subcontract and stated 3eTI did not have an\napproved purchasing system in accordance with FAR 44.201-1(b). FAR Part 44.201\nprohibits a ny subcontracting by a contractor without an approved purchasing system\nif subcontracting amount exceeds 5 percent of the contract value. Since the estimated\ncontract value was $9,923,241, the value for 3eTI\'s subcontract with Eid Passport was\nmore than 10 percent of the estimated contract value and therefore should have required\nprior approval from the contracting officer. Therefore, 3eTI\'s subcontract with Eid\nPassport was an unauthorized commitment for out-of-scope work that would require\nuse of competitive contracting procedures or a Justification and Approval for sole source.\nThe Chief of Contracting at NSWC Port Hueneme should review the 3eTI subcontract\nand determine whether the costs should be d isallowed and recouped in accordance\nwith FAR 42.8, "Disallowance of Costs," or if ratification actions may be appropriate in\naccordance with FAR 1.602-3, "Ratification of Unauthorized Commitments." After the\n\n 7\n     Contract No. N63394-12-C\xc2\xb75127 was awarded by NSWC Port Hueneme on September 14, 2012.\n\n\n\n\n                                          FOR OFFICIAL 1:1SE ONUt                                        DODIG-2013\xc2\xb7134   I 25\n\x0cFinding C                                        FOR OFFICh\'tb ~9E SPQLY\n\n\n\n                 review is completed, the Chief of Contracting should take the appropriate contracting\n                 actions. Furthermore, the Assistant Secretary of the Navy (Research, Development, and\n                 Acquisition), in conjunction with the Director of Contracts, Naval Sea Systems Command,\n                 should conduct an accountability review relating to the unauthorized commitments\n                 including full access to all information and individuals necessary to conduct the review.\n\n\n                 CNIC Officials\' Actions Restricted Full and Open\n                 Competition\n                 After entering into unauthorized commitments with Eid Passport, in June 2012,\n                 CNIC N3AT issued an NCACS sources sought notice for market research to determine\n                 which vendors had the capabilities to meet NCACS requirements. According to the NCACS\n                 sources sought notice, the purpose was to obtain information regarding the availability\n                 and capability of all qualified sources interested in participating as a NCACS commercial\n                 credentialingservice. However; accordingto \xc2\xb7the NCACS sources sought notice, no contract\n                 would be issued, and cont ract proposals were not being accepted. CNIC N3AT officials\n                 stated there were two responses to the sources sought notice, one from Eid Passport and\n                 another from Intellicheck Mobilisa. Despite previous statements of work noting that\n                 Eid Passport vetted individuals against unreliab le databases, CNIC N3AT determined\n                 only Eid Passport\'s response qualified them to and selected them to continue to provide\n                 services for NCACS. However, instead of beginning appropriate contracting procedures to\n                 maintain the services provided by Eid Passport, CNIC N3AT officials issued a COC, which\n                 is not a contract, to Eid Passport based on its response to the sources sought notice.\n\n\n                 Navy Lacks Contractual Coverage for Eid Passport\n                 Services\n                 While CN IC N3AT has been receiving services from Eid Passport to implement Rapidgate\n                 at all Navy installations and facihties in the Continental United States, Hawai.i, and the\n                 Marianas Eslands since April 2010, the Navy has not had valid contractual coverage since\n                 November 1, 2011. Instead of providing for full and open competition, CNIC N3AT officials\n                 directed a prime contractor to enter into unauthorized commitments for Eid Passports\'\n                 proprietary Rapidgate system and then issued a COC in October 2012 to allow Eid Passport\n                 to continue providing services for the NCACS program. The COC explicitly stated it is\n                 not a Federal contract and does not constitute an enforceable agreement. Furthermore,\n                 the COC did not meet the definition of a contract as stated in FAR Part 2.101 because a\n                 warranted conn\xc2\xb7acting officer did not sign it and it did not bind the Federal Government\n\n\n\n\n26 1DODIG-2013-134                               FSR SFFIEIAb ~9E 8NH/\n\x0c                                            FOR OFFIC!Ab USE ONLY                                                                      Finding C\n\n\n\nfor any obligation of funds. As of May 2013, CNIC N3AT has allowed Eid Passport to\ncontinue providing Rapidgate to support NCACS without contractual coverage.\n\n\nAppropriate Contracting Authority Was Not Used\n                              CNIC N3AT officials improperly directed a prime contractor to\n                                        enter into unauthorized commitments, used inappropriate\n           CNIC\n      N3AT officials                      contracting methods, and incorrectly d eveloped the COC\n        improperly                         because they did not have contracting authority.                              The\n     directed a prime                      "Navy Marine Corps Acquisition Regulation Supplement\n    contractor to enter\n                                           (NMCARS),"            January         2013,        establishes          uniform\n    into unauthorized\n      commitments.                        Department of the Navy policies and procedures for\n                                         implementing and supplementing the FAR and the Defense\n                                  Federal Acquisition Regulation Supplement. NMCARS identifies\n11 Head of Contracting Activities (HCAs) i n the Navy responsible for managing and\noverseeing their respective contracting miss ions. According to the NMCARS, CNIC does\nnot have HCA authority and is therefore re quired to obtain contractual coverage from\nthe proper HCA depending on the type of procurement. CNIC N3AT officials justified\ntheir use of the COC relationship with Eid Pa ssport stating their requests for contractual\ncoverage from an appropriate HCA we1\xc2\xb7e cu mbersome and difficult. For example, after\ncancellation of the GPC procurement of Rapidgate, C!NIC N3AT approached an HCA,\nNaval Facilities Engineering Command, to pl ace NCACS into a contract administered by\nNaval Facilities Engineering Command. However, Naval Facilities Engineering Command\ndeclined to support the request resulting in CNIC N3AT officials inappropriately directing\nan NSWC Panama City prime contractor to su bcontract for Rapidgate. After reviewing the\nNSWC Pan ama City subcontract, CNIC gener al wunsel was concerned and notified CNIC\nN3AT officials that this type of contract woul d not receive any legal support in the future.\nSubsequently, CNJC N3AT officials develope d the COC as an administrative approach to\nmaintain a relationship with Eid Passport t hat did not requir e an acquisition vehicle.\nAccording to CNIC N3AT officials, the COC l everages the Navy\'s stance as a third-party\nbeneficiaryS of the implied contract(s) bet ween NCACS participants and Eid Passport.\nHowever, the Navy continued to receive se rvices, such as identity vetting, credential\ncreation, and database maintenance, direct ly from Eid Passport for maintenance and\nmanagemellit of the NCACS program. The Assistant Secretary of the Navy (Research,\nDevelopment, and Acquisition) should initia te a review of the inappropriate contracting\npractices related to NCACS and Eid Passpo rt and establish a corrective action plan to\nresolve the contracting improprieties.\n\n\n8 A third-party beneficiary is a party who stan ds to benefit from the execution of the contract even though that was not the\n\n  intent of either contracting party.\n\n\n\n\n                                            r~R ~FFIEIAL          M8E   ~NLY                                                    DODIG-2013-134   I 27\n\x0cFinding C                                         FOR OFFIC!Ab USE ONLY\n\n\n\n                 Navy Spent Over $1.1 Million in Potentially\n                 Unallowable Costs and Lacked Oversight and Legal\n                 Recourse Against Eid Passport\n                 The Navy expended $1,179,299 in potentially unallowable costs for Eid Passport\'s\n                 services and equipment. Furthermore, CNIC N3AT lacked oversight of, and legal recourse\n                 against, Eid Passport in the event the service provider failed to meet its responsibilities.\n                 The COC did not bind Eid Passport to perform the actions outlined in the COC and did not\n                 provide CN IC N3AT the ability to legally enforce the stated requirements because the COC\n                 did not constitute an enforceable agreement. For example, the COC required Eid Passport\n                 to comply with DoD Information Assurance Certification and Accreditation Process, and\n                 the NCACS Standard Operating Procedures. Additionally, under the COC, Eid Passport will\n                 be subjected to an annual compliance audit by CNlC N3AT. However, without a contract or\n                 legally binding agreement, CNlC N3AT officials did not have any legal options to enforce\n                 compliance with the stated requirements. The only viable administrative option available\n                 to CNIC N3AT is to terminate the COC issued to Eid Passport. However; this would render\n                 NCACS inoperable because Eid Passport maintains the NCACS program data and the\n                 database used for authentication.\n\n\n                 Conclusion\n                 The Navy Commercial Access Control System, using Rapidgate, did not effectively mitigate\n                 access control risks, and did so at a potentially exorbitant price to the Navy. Although\n                 NCACS did not comply with Federal and DoD vetting standards and did not effectively\n                 mitigate access control r isks, CN IC N3AT took extraordinary measures to ensure the\n                 program continued to operate without contracting authority. CNIC N3AT personnel used\n                 inappropriate contracting practices, such as directing a prime contractor to enter into\n                 unauthorized commitments to maintain Eid Passport\'s Rapidgate system and issuing\n                 policy that prevented the Navy from fully accounting for NCACS costs. These actions\n                 appear to have provided Eid Passport with a competitive advantage, allowing them to\n                 realize substantial revenue annually for providing credentialing and vetting services for\n                 the Navy without a contract. See Finding A for information on access control risks and\n                 Finding B for the costs associated with NCACS. Due to the improprieties of NCACS and\n                 consistent violations of Federal acquisition requirements, the Director, Shore Readiness,\n                 Deputy Chief of Naval Operations (Fleet Readiness and Logistics), shouEd review\n                 CNIC N3AT officials\' actions, and determine whether administrative actions should be\n                 taken, if appropriate.\n\n\n\n\n28 1DODIG-2013-134                                r~R ~FFIEIAL   M8E   ~NLY\n\x0c                                FOR OFFJCIAb HSH ONbY                                           Finding C\n\n\n\n\nRecommendations, Management Comments, and Our\nResponse\nRecommendation C.1.\nWe recommend the Assistant Secretary of the Navy (Research, Development, and\nAcquisition}, initiate a review of the inappropriate contracting practices related to\nthe Navy Comme1\xc2\xb7cial Access Control System and establish a corrective action plan\nto resolve the contracting improprieties.\n\n\nAssistant Secretary of the Navy (Research, Development, and\nAcquisition) Comments\nThe Director; Program Analysis and Business Transformation and Director. Services\nAcquisition, Office of the Deputy Assistant Secretary of the Navy (Acquisition and\nProcurement), responding for the Assistant Secretary ofthe Navy (Research, Development,\nand Acquisition), agreed with the recommendation. The Director stated the Office of the\nDeputy Assistant Secretary of the Navy (Acquisition and Procurement), will initiate and\ncomplete a review of the contracting practices and establish a corrective action plan if\nit is determined that there were any improprieties. The Office of the Deputy Assistant\nSecretary of the Navy (Acquisition and Procurement), expects to finish their review of the\ncontracting practices by October 25, 2013.\n\n\nOur Response\nComments from the Director were responsive, and no further comments are required.\n\nRecomm\xc2\xb7endation C.l.\nWe recommend the Assistant Secretary of the Navy (Research, Development, and\nAcquisition}, in conjunction with the Director of Contracts, Naval Sea Systems\nCommand, initiate an accountability reviiew relating to the unauthorized\ncommitments including full access to all information and individuals necessary to\nconduct the review.\n\n\nAssistant Secretary of the Navy (Research, Development, and\nAcquisition) and Director of Contracts, Naval Sea Systems\nCommand Comments\nThe Director, Program Analysis and Business Transformation and Director. Services\nAcquisition, Office of the Deputy Assistant Secretary of the Navy (Acquisition and\nProcurement), responding for the Assistant Secretary ofthe Navy (Research, Development,\n\n\n\n\n                                FEJR EJFFIEIAb ~SE EJNH/                                 DODIG-2013-134   I 29\n\x0cFinding C                                      FOR OFFIC!Ab USE ONLY\n\n\n\n                and Acquisition), and the Associate Director of Contract s, Naval Sea Systems Command,\n                responding fo r the Director of Contracts, Naval Sea Systems Command, agreed w ith\n                the recommendation. The Director, Program Analysis and Business Transformation\n                and Director, Services Acquisition, Office of the Deputy Assistant Secretary of the Navy\n                (Acquis ition and Procurement), and the Associate D]rector of Contracts, Naval Sea\n                Systems Command, stated they w ill perform the recommended accountability review by\n                October 25, 2013.\n\n\n                Our Response\n                Comments from the Director, Program Analysis and Business Transformation and Director,\n                Services Acquisition, Office of the Deputy Assistant Secretary of the Navy (Acquisition\n                and Procurement), and the Associate Director of Contracts, Naval Sea Systems Command,\n                were responsive, and no further comments are required.\n\n\n                Recomm,e ndation C.3.\n                We recommend the Director, Shore Readiness, Deputy Chief of Naval Operations\n                (Fleet Readiness and Logistics), perform a review of the Commander, Naval\n                lnstaJJations Command Antiterrorism officials and consider administrative actions,\n                if appropriate for:\n\n                        a. Implementing the Navy Commercial Access Control System using\n                           Eid Passport\'s Rapidgate system that allows contractors to have access\n                           to Navy installations without having their identities vetted through\n                           mandatory authoritative databases.\n\n                        b. Implementing the Navy Commercial Access Control System without a\n                           comprehensive business case analysis.\n\n                        c. Improperly directing a prime contractor to enter into unauthorized\n                           commitments of Navy funds.\n\n                Director, Shore Readiness, Deputy Chief of Naval Operations\n                (Fleet Readiness and Logistics) Comments\n                The Director, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and\n                Logistics), partially agreed with the recommendation. The Director stated that any review\n                ofCNIC employees, including the determination as to whether a review is required, is the\n                responsibi lity of the Comm ander, N;wy Installations Command. The Director stated the\n                Command\xc2\xb7er; Navy Installations Command, will take administrative action as appropriate\n                pending the findings of reviews conducted purs.uant to recommendations 8.2, C.l , C.2,\n                and C.4, as well as OPNAV N81 independent review of the BCA.\n\n\n  I\n30 DODIG-2013-134                              FOR OFFICIAL !:1SE ONhY\n\x0c                                FOR OFFICIAL 1.-JSE OHLY                                          Finding C\n\n\n\n\nOur Response\nComments from the Director. Shore Readiness, Deputy Chief of Nava~ Operations (Fleet\nReadiness and Logistics), were partially responsive. We agree that reviews should\nbe conducted pursuant to recommend ations B.Z, C.l,        c.z,   and C.4, a nd if there are\nfindings, adm inistrative action be considered. However, we believe the review of CNIC\nemployee actions regarding NCACS implementation and contracting should be\nperformed by an entity independent of the Commander, Navy Installations Command.\nAn independent entity would not have a vested interest in the NCACS program and\nwould be free of potential conflicts in assessing the CNI C employee actions. We request\nthe Director, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness\nand Logistics), reconsider the recomm endation a nd provide additional comments in\nresponse to the final report.\n\n\nRecommendation C.4.\nWe recommend the Chief of Contracting offices at Naval Surface Warfare Cente rs\nPort Hueneme and Pana ma City:\n\n        a. Review the 3e Technologies International subcontract and de termine\n           whethe r the ~costs s hould be disallowed and recouped in accordance\n           with Fe de ral Acquisition Regulation 42.8, "Disallowance of Costs,"\n           or if ratification actions may be appropriate in a ccordance with\n            Federal Acquisition Regulation 1.602-3, "Ratification of Una uthorized\n            Commitments," and\n\n        b. Take the appropriate contr acting actions in accorda nce with t he\n           determinations of the r eview.\n\nChief of Contracting Offices, Naval Surface Warfare Centers\nPort Hueneme and Panama City Comments\nThe Associate Director of Contracts, Naval Sea Systems Command, responding for the\nChief of Contracting offices at Naval Surface Warfare Centers Port Hueneme and Panama\nCity, agreed with the recommendation. The Associate Director stated Naval Sea Systems\nCommand will conduct the review of the two contract actions specified in the report by\nOctober 25, 2013.\n\n\nOur Response\nComments from the Associate Director were responsive, and no further comments are\nrequired.\n\n\n\n\n                                FEJR EJFFIEIAb ~SE EJNLY                                   DODIG-2013-134   I 31\n\x0cAppendixes                                       FOR OFFICIAL (.ooJSE OHLY\n\n\n\n\n                Appendix A\n                Scope and Methodology\n                We conducted this performance audit from October 2012 through June 2013 in\n                accordance with generally accepted government auditing standards. Those standards\n                require that we plan and perform the audit to obtain sufficient, appropriate evidence to\n                provide a reasonable basis for our findings and conclusions based on our audit objectives.\n                We believe that the evidence obtained provides a reasonable basis for our findings and\n                conclusions based on our audit objectives.\n\n                We performed the audit to determine whether NCACS is mitigating access control risks\n                to Navy installations. NCACS was implemented at all 61 Navy installations within the\n                Continental United States. Of the 61 Navy installations, we non-statistically selected a\n                sample of 10 installations to determine whether NCACS identity vetting complies with\n                Federal and DoD requirements. \'fhe locations selected represent at least one installation\n                from each of the six Navy regions within the Continental United States. According to\n                CNIC N3AT management, NCACS implementation requirements did not vary by regions\n                or installations. Therefore, the findings in this report may apply to all Navy installations\n                in the Cont inental United States.\n\n                We interviewed personnel, performed walkthroughs of Navy installation Pass and\n                Identification offices and access control points, obtained and reviewed 104 NCACS\n                warver requests, obtained and reviewed 47 contracts and other funding documentation\n                for companies enrolled in NCACS, and reviewed supporting documentation for identity\n                vetting at 10 Navy installations. From the interviews conducted with contracting officers\n                and contracting officer representatives from five of the six Navy Regiions, we identified\n                17 contractors that charged the Navy for costs incmred to purchase Rapidgate credentials.\n                We reviewed contractor Requests for Equitable Adjustments, overhead prices, and other\n                indirect costs. The records and actions reviewed occurred from April 2010 through\n                May 2013.. See Appendix B for a listing of the 17 contractors and the related NCACS\n                charges.\n\n                (FQWQ) Our review included the followi ng Navy installations.\n\n                           \xe2\x80\xa2 Naval District Washington:\n\n                                    0\n\n\n\n\n                                    0\n\n\n\n\n  I\n32 DODIG-2013-134                                r~R ~FFIEIAL   (.ooJ8E ~NLY\n\x0c                               FOR OFFIEL\\L riSE OHLY                                       Appendixes\n\n\n\n        \xe2\x80\xa2 (FOHO) Navy Region Mid-Atlantic:\n\n                  0\n\n\n\n\n                  0\n\n\n\n\n        \xe2\x80\xa2 Navy Region Southeast:\n\n                  0\n\n\n\n\n                  0\n\n\n\n\n        \xe2\x80\xa2 Navy Region Midwest:\n\n                  0\n\n\n\n\n        \xe2\x80\xa2 Navy Region South West:\n\n                  0\n\n\n\n\n                  0\n\n\n\n\n        \xe2\x80\xa2 Navy Region Northwest:\n\n                  0\n\n\n\n\nUse of Computer-Processed Data\nWe obtained and used computer-processed data. Specifically, we used paper copies of\nthe public record check results from SecurTest, Inc., and General Information Services,\nInc., databases to determine the accuracy and reliability of the information reported. We\ncompared the results of initial public record checks against the results of the periodic\nand renewal checks and discussed the inaccuracies of the publicly accessible databases\nin Finding A. We did not evaluate the databases used to perform the public record checks\nbecause Eid Passport acknowledged the public data sources used to conduct record\nchecks were not always up-to-date, complete, accurate, or available.\n\n\nPrior Coverage\nDuring the last 5 years, the Government Accountability Office (GAO), the Department\nof Defense lnspector General (DoD IG), and the Naval Audit Service issued six reports\ndiscussing DoD\'s implementation of Homeland Security Presidential Directive 12,\nphysical access control, and force protection. Unrestricted GAO reports can be accessed\nover the Internet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed at\n\n\n\n\n                               FOR OFFICIAL riSE ONLY                                   DODIG-2013-134   I 33\n\x0cAppendixes                                     FOR OFFICIAL (xJSE ONLY\n\n\n\n                http://www.dodig.mil/pubs /index.cfm. Naval Audit Service reports are not available\n                over the Internet.\n\n\n                GAO\n                GAO Report No. GA0-11-751, "Personal ID Verification: Agencies Should Set: a Higher\n                Priority on Using the Capabilities of Standardized Identification Cards," September 2011\n\n                GAO Report No. GA0-08-292, "Electronic Government: Additional OMB Leadership\n                Needed to Optimize Use of New Federal Employee Identification Cards," February 2008\n\n\n                DoDIG\n                DoDIG Report No. DODIG-2012-122, "DoD Should Procure Compliant Physical Access\n                Control Systems to Reduce the Risk of Unauthorized Access," August 29, 2012 (Document\n                is F\'OUO)\n\n                DoDIG Report No. D-2009-005, "Controls Over the Contractor Common Access Card Life\n                Cycle;\' October 10, 2008\n\n                Do DIG Report No. D-2008-104, "DoD Implementation of Homeland Security Presidential\n                Directive-12," june 23, 2008\n\n\n                Navy\n                Naval Audit Service Report No. N2011-0033, "Contracts Awarded to Selected Contractors\n                by Naval Supply Systems Command and Naval Facilities Engineering Command Contracting\n                Activities," May 5, 2011 (Document is FOUO)\n\n\n\n\n  I\n34 DODIG-2013-134                              f\'~R ~FFIEIAL   (xJ8E   ~NLY\n\x0c                                     FOR OFFIC!Ab USE ONLY                                              Appendixes\n\n\n\n\nAppendix B\nIdentified Contractor Companies and Amounts Charged\nfor NCACS-Related Costs\n         Contractor Company            Amount Charged               Documentation Provided\n\n                                                            Request for Equitable Adjustment (REA) to\nASG Solutions Corporation                    $743\n                                                            contract N00178-05-D-4191-JMOl\n\nWalBridge Aldinger Company                  27,497          REA to contract N69450-09-C-0758\n\nThe Ross Group Construction Corp.           30,878          REA to contract N69450-10-D-0771-0002\n\nW.G. Yates & Sons Construction Co.          77,436          REA to contract N62467-05-D-0183\n\nJ.J. Sosa & Associates, Inc.                 5,390          REA to contract N69450-10-D-0783-0001\n\nAkea, Inc                                    4,771          REA to contract N69450-09-C-1294\n\nOrion Marine Construction                   10,742          REA to contract N69450-09-C-1259\n\nDei-Jen, Inc                                49,817          REA to contract N69450-07-D-0770\n\nGottfried Construction LLC                  21,666          REA to contract N62467-06-D-3140-0006\n\nPower Services, Inc.                         1,193          REA to contract N69450-10-C-7328\n\n                                             5,693          REA to contract N40085-11-C-0200\nW.F. Magann\n                                             9,878          REA to contract N40085-09-C-5058\n\nMcl ean Cont racting Co.                    18,673          REA to contract N40085-11-C-0001\n\nACEPEX Management Corp                      10,017          REA to contract N40085-06-D- 1260\n\n                                                            Overhead charge to contract N00189-09-\nGoodwill Industries                        199,148\n                                                            C-Z003\n\nDynCorp international                       99,197          Overhead documentation provided\n\n                                           235,640          Overhead documentation provided\nBAE Systems\n                                           202,870          Overhead documentation provided\n\nHuntington Ingalls                         270,180          Overhead documentation pro\xc2\xb7vided\n\n Total                                  $1,281,429\n\n\n\n\n                                     r~R ~FFIEIAL    M8E   ~NLY                                   DODIG-2013\xc2\xb7134   I 35\n\x0cGlossary                                             FOR OFFIEL\'tb HSE ONI::Jl\n\n\n\n\n                 Glossary\n                  Background Check: The act of reviewing both confidential and public information to\n                 investigate a person\'s history. Background checks are commonly performed by employers\n                 to ensure that: (1) an employee is who he or she says they are, (2) to determine that the\n                 individual does not have a damaging history (such as criminal activity) that may reflect\n                  poorly on the company, (3) to confirm information that an applicant included on their\n                 application for employment.\n\n                 Contractor Employee: An individual who performs work for or on behalf of any agency\n                  under a contract and who, in order to perform the work specified under the contract,\n                  will require access to space, information, information technology systems, staff, or other\n                 assets of the Federal Government. Such contracts include, but are not limited to:\n\n                           \xe2\x80\xa2 personal services con tracts,\n\n                           \xe2\x80\xa2 contracts between any non-FederaJ entity and any agency, and\n\n                           \xe2\x80\xa2 subcontracts between any non-Federal entity and another non-Federal entity\n                                 to perform wor k related to the primary contract with the agency.\n\n                  Installations: Real DoD properties including bases, stations, forts (including Nation al\n                 Guard and Federal Reserve Centers), depots, arsenals, plants (both contractor- and\n                 Government-operated), hospitals, terminals, and other special mission facilities, as well\n                 as those used primarily for military purposes.\n\n                  National Agency Check With Written Inquiries: Consists of searches of the Office of\n                  Per\'Sonnel Management Security Suitability Investigations Index; the Defense Clearance\n                 and Investigations Index; Federal Bureau of Investigation Identification Division\n                 fingerp rint name file and fingerprint chart; Federal Bureau of Investigation Records\n                  Management Division files; written inquiries; and record searches covering specific areas\n                 of a subject\'s background during the past 5 years.\n\n                  PIV Credential: A physical artifact (for example, an identity card o r a "smart" card)\n                 issued to an individual that contains stored identity credentials (such as a photograph,\n                 cryptographic keys, digitized fingerprint representation) so that the claimed identity\n                 of the cardholder can be verified against the stored credentials by another person\n                 (human-readable and verifiable) or an automated process (computer-readable and\n                  verjfiable).\n\n\n\n\n36 1 DODIG-2013-131                                  FOR OFFICIAL lvJSE ONUt\n\x0c                                    FOR OFFIC!Ab USE ONLY                                          Glossary\n\n\n\nPublic Rec()rd Check: The act of reviewing any publicly available information, minutes,\nfiles, accounts or other records (including hearsay in the record) that may not be\nup-to-date, complete, accurate, or available to investigate a person\'s history to determine\nif the individual has a damaging history (such as criminal activity).\n\nRapidgate System l\xc2\xb7Year Subscription: As listed in Eid Passport\'s General Services\nAdministration General Schedule GS-35F-0436U, the 1-year Rapidgate services include\nregistration; employee background screenings; identification badges; access control\nauthentication; reporting; equipment maintenance; and training. Rapidgate equipment\nand software include: registration station(s). guard station(s), handheld reader device(s),\nantenna equipment, and identification badges. Eid Passport retains all rights and title\nto Rapidgate equipment, software, and data.        Eid Passport charges enrollment and\nregistration fees to vendors. Minimum ordering activity qualifications: the total number\nof vendor companies divided by the tota ~ number of access control points must be at least\n50 at each facility/installation.\n\nVetting: An evaluation of an applicant\'s or a cardholder\'s character and conduct for\napproval, acceptance, or denial for the issuance of an access control credential or physical\naccess.\n\n\n\n\n                                    FOR OFFIEIAb USE OPHX                                  DODIG-2013\xc2\xb7134   I 37\n\x0cManagement Comments                              FOR OFFICIAL 1.-JSE OHLY\n\n\n\n\n                 Management Comments\n                  Department of the Navy Comments\n\n\n                                      T H E DEPUT Y UND E R SE C R ET ARY OF T HE NAVY\n                                                    WASI<INGTON OC 10350- 1000\n\n\n\n\n                       MEMORANDUM FOR Tiffi DEPARTMENT OF DEFENSE INSPECTOR GENERAL\n\n\n                       SUBJECT: Department of the Navy\'s Response to Department of Defense Inspector\n                                General Report Project Number D2013-DOOOLC-0008.000 dnted 24 Jun\n                                13\n\n                            The Department of the Navy (DON) appreciates the opportunity to respond and\n                       comment on the Department of Defense Inspector General Report Project Number\n                       02013-DOOOLC-0008.000 dated 24 Jun 13.\n\n                              The DON concurs with most of the recommendations and has established target\n                       dates to address those recommendations. The Commander, Navy Installations Command!\n                       non-concurs with rec.ommendations A.l.-A .3 in the report. The Director, Shore\n                       Readiness Division, Deputy Chief ofNaval Operations (Fleet Readiness and Logistics)\n                       non-concurs with recommendation C.3. CNIC requests to further discuss these four\n                       findings. Details of our specific comments and recommendations are attached.\n\n\n\n\n                                                              crnud.      ~~Aa\'!Ntr\n                                                                          .\n                                                               Robert Martmag\n\n                       Attachment:\n                       As stated\n\n\n\n\n38 1 DODIG-2013-131                              FEJR EJFFIEIAL 1.-JSE EJNLY\n\x0c                                 FOR OPFIEL\'tb HSE ONLY                                            Management Comments\n\n\n\n\nDepartment of the Navy Comments (cont\'d)\n\n\n\n\n              DEPARTMENT OF DEFENSE INSPECTOR GENERAL REPORT\n               PROJECT NO . D\xc2\xb72013-DOOOLC-0008.000 DATED 24 J UNE 2013\n\n               "NAVY COMMERCIAL ACCESS COI\\TROL SYSTEM DJD NOT\n                  EFFECTIVELY MJTIGATE ACCESS CONTROL RISKS"\n\n     The Navy\'s responses to the Department of Defense Inspector General\'s (DODIG)\n     recommendations are as follows:\n\n\n\n     RECOMMENDATlON A.l.: The DODIG recommended that the Commander, Navy\n     Installations Command, immediately discontinue the use of Rapidgate and any other\n     system that exclusively uses publicly a.vailable databases to vet and adjudicate contractor\n     employees accessing Navy installations. and replace it with a system or process that\n     meets Federal and DoD requirements for background vetting.\n\n     RESPO NSE (CNIC): Non-concur. Navy Commercial Access Control System\n     (NCACS) s.t andards meet or exceed Federa.I and DoD requirements for background\n     vetting. The current Commercial Credential Source (CCS) is a federally approved\n     Personal Identity Verification - Interoperable (J>IV-1) compliant company. In addition to\n     the commercial vetting conducted by the NCACS provider. the Navy currently conducts\n     the National Crime lnformation Center (NCIC) check and final issuance of the credential.\n     CNIC will always maintain oversight and quality control of the final product and\n     determines whether or not the credential is ultimately issued. Prior to acceptance into\n     NCACS as a CCS, a credentialing linn or entity must demonstrate f1.1ll compliance and\n     capabilities in conformity with a long 1ist of stringent requirements starting with HSPD-\n      12, DTM 09-012. FIPS 201, DoD 5200.08-R, and more than a dozcl\'li other Federal, DoD\n     and Navy s\'andards/instructions. Finally. more than 36.700 companies with over\n     438,000 of their employees or vendors have been vetted and credentialed via }JCACS.\n     IDiscontinuing a successful system that has facilitated over 14,000,000 safe and secure\n     visits will ensure there are unnecessarily long waiting Lines at gates and access points at\n               the                        including some or our largest bases in -\n                                                   result is loss in productivity for those\n     contractors and vendors doing business on Navy installations. Abandoning the current\n     NCACS business solution would require the hiring of significant numbers of additional\n     civil servants to work in base pass offices across the CNIC enterprise. This w<>uld not be\n     feasible in a time of austerity that has occasioned mot only furloughs and hiring freezes,\n     bui. actual Reductions in Force (RJF) at CNIC.\n\n\n\n\n                                 FEJR EJFFIEIAb HSE EJNLY                                                DODIG-2013-134   I 39\n\x0cManagement Comments                                  FOR OFFIC!Ab USE ONLY\n\n\n\n\n                    Department of the Navy Comments (cont\'d)\n\n\n\n\n                         RECOMMENDATION A.2.: The OODIG recommended that the Commander, Navy\n                         Installations Command, revise Instruction 5530.14, "CNIC Ashore Protectio111 Program,"\n                         July 7, 2011, and Notice 5530, "Navy Comrnercial Access Control System Within\n                         Continental United States Regions, Navy Region Hawaii, and Joint Region Marianas,\'"\n                         July 5, 2012, to require contractor employees req1.1iring rouuine physical access to Navy\n                         installations for greater than s ix months receive the DoD Personal Identity Verification\n                         credential with the National Agency Check with Written Inquiries.\n\n                          RESPONSE (CNTC): Non-concur. CNlC is in line with DoD authorities and\n                         Congressional guidance to leverage security by partnering with commercial entities,\n                         adopti.ng commercial off-the-shelfsolutions, and accepting identity c redentials from Non-\n                         Federal Issuers (NFT). CNIC NCACS standards either meet or exceed the requirements\n                         mandated by DoD or cited by the DOD! G. Additi<>nally, those vendors or contractors\n                         that meet the federal standards to be issued a Common Access Card (CAC) are indeed\n                         issued a CAC. It is CNIC\' s understanding of current policy there are two components to\n                         issuing a CAC - physical access to an installation for greater than six months AND\n                         logical access to the Navy\'s networks. Many vendors or contractors meet the physical\n                         access requirement for an installation but not the access to the Navy\'s network, thus\n                         necessitating other a lternatives for issuing credentials. Finally, the NCACS CCS vetting\n                         combined with the CNIC NCIC check encompasses those checks conducted via a\n                         National Agency Check with Written h1quj1\xc2\xb7ies (NACI).\n\n                         RECOMMENDATION A.3.: The DODIG recommended. that the Commander, Navy\n                         Installations Command:\n\n\n\n\n                         resources and capabilities needed to access National Crime Information Center\n                         and the Terrorist Screening Database.\n\n                           b. Establish a process to identify which installations need resources and\n                         capabilities to access. National Crime Information Center and the Terrorist\n                         Screening Database for contractor background vetting and provide Installation\n                         Commanders with needed resources and capabilities.\n\n\n\n                                                                    2\n\n\n\n\n40   I DODIG-2013-131                                FOR OFFIEIAb HSE ONLY\n\x0c                                 FOR OFFIEL\'tb l-ISE ON bY                                        Management Comments\n\n\n\n\nDepartment of the Navy Comments (cont\'d)\n\n\n\n\n     !RESPONSE (CNlC): Non-concur. CNIC has already accomplished the goal of\n     providing access control resources and capabilities to Navy Installations: NCACS is the\n     resource and is a force multiplier to Navy access control programs. Navy installations\n     are generally NCIC-capable and NCACS is in the process of attaining even greater and\n     more facilitated NC!C access via process improvements. DODIG\'s conclusions\n     regarding NCIC-check capability ofNavy installations were based upon interviews of\n     personnel who did not have full knowledge ofthe system, such as gate guards who are\n     not responsible for credentialing. Furthermore, to the extent providing resources equates\n     ro hiring additional personnel, this is not economically feasible given the fiscal\n     constraints on the Command and is not consistent with DOD and Congressional policy\n     that encourages adopting conwlercial-off-the-shel f security solutions for base access.\n     Additionally, USD(AT&L) and the Defense Manpower Data Center are currently\n     working access to the Terrorist Screening Database on beha If of all Department of\n     Defense installations via the Identity Management Enterprise Services Architecture.\n     CNIC will take advantage of this capability once it is available.\n\n     RECOMMENDATION B. I.: The DO DIG recommended that the Assistant Secretary\n     of t he Navy (Research, Development and Acquisition) review the use ofNavy\n     Commercial Access Control System/Rapidgate contract language concerning contractor\n     reimbursement and take appropriate action, if necessary.\n\n     RESPONSE (DASN(AP)): Concur. By 25 Oct 13, the Deputy Assistant Secretary of\n     the Navy for Acquisition and Procurement (DASN(AP)) will initiate and complete a\n     review of the Navy Commerciial Access Control System/Rapidgate contract language to\n     ensure the contract language is consistent with the cos! principles and procedures i.n\n     Federal Acq uisition (FAR) Subpart 31.2. Based on the review. if it is determined that the\n     contract language is inconsistent with the FAR requirements. DASN(AP) will take\n     appropriate action.\n\n     RECOM MENDATION 8.2.: T he DODIG recommended that the Director, Shore\n     Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics):\n\n       a. Obtain an independent comprehensive business case analysis for the Navy\n     Commercial Access Control System in accordance with Department of Navy Chief\n     [nformation Officer Memorandum "Required Use of Department ofilie Navy (DON)\n     Enterprise Information Technology Standard Business Case Analysis (BCA) Template."\n\n                                                 3\n\n\n\n\n                                 FEJR EJFFIEIAb l-ISE EJPHX                                             DODIG-2013-134   I 41\n\x0cManagement Comments                                  FOR OFFIEIAL l-ISE ONLY\n\n\n\n\n                    Department of the Navy Comments (cont\'d)\n\n\n\n\n                         based on an approved methodology such as the Economic Viability T ool, and\n\n                            b. Determine the way forward for contractor installation access based on lhe\n                         findings of the independent comprehensive business case analysis.\n\n\n                         RESPONSE (N46): Concur. Commander, Navy Installations Command has requested\n                         that the Director, Assessments Division (OPNAV N8 I) provide an expedited independent\n                         verification and validation of the Navy Commercial Access Control System (NCACS)\n                         BCA. The BCA submitted is in full compliance with the "Required Use of the\n                         Department of the Navy (DON) Enterprise Information Technology Standard Business\n                         Case Analysis (BCA) Template, 30 Juo II." OPNAV N46 will work with Assistant\n                         Department of the Navy Financial Management and Comptroller (FM &C), N8 I, CNIC\n                         and other Navy stakeholders t.o review, validate and adjust format/template accordingly\n                         to ensure the completed BCA meets full compliance of the DOD IG\'s requirements. Jf\n                         it\'s determined what, if any, follow-on actions are required il:hen, estimated completion\n                         date for the BCA and follow-on N46 analysis and recommendations is 30 Sepl 13. If\n                         determined by the BCA, OPNAV N46 will work with CNIC to ensure development of\n                         clear, concise and consistent policies and procedures across all Navy regions for\n                         contractor installation access control. At a minimum, the policies and procedures will\n                         provide rccmprocity for contractors with existing federally sponsored \xc2\xb7background\n                         investigations. CNIC, with OPNA V N46 oversight, will also work with Echelon II\n                         commands to create a visitor control pr-ocess that complies with DoD and DON\n                         installation security standards.\n\n\n                         RECOMMENDATION C.L : The DODIG recommended that the Assistant Secretary\n                         of the Navy (Research, Development and Acquisition). initiate a review of the\n                         i.nappropriate contracting practices related to the Navy Commercial Access Control\n                         System and establish a corrective action plan to resolve the contracting improprieties.\n\n                         RESPONSE (DASN(AP)): Concur. DASN(AP) will initiate and complete a review of\n                         the contracting practices and establish a corrective action plan if it is determined that\n                         there were any improprieties. Target period for completion of the review and corrective\n                         action plan, if necessary, is 25 Oct 13. It should be noted that CNIC is working with its\n                         designated contracting agency. NAVSUP, to issue a competitive contract for the Navy\n\n                                                                     4\n\n\n\n\n42   I DODIG-2013-131                                f\'~R ~FFIEIAL       l-J8E   ~NLY\n\x0c                                  FOR OFFICIAL l.xJ9E ONLY                                           Management Comments\n\n\n\n\nDepartment of the Navy Comments (cont\'d)\n\n\n\n\n     Commercial Access Control System. Contract award is expected in Q4 FYI4.\n\n     RECOMMENDAT ION C.2.: The DO DIG recommcndedl that the Assistant Secretary\n     o f the Navy (Research. Development and Acquisition), in conjunction with the Director\n     of Contracts, Naval Sea Systems Command, initiate an accountability review relating to\n     Lhe unauthorized commitments including full access to all information and individuals\n     necessary to conduct the review.\n\n     RESPONSE (NAVSEAIDASN(AP)): Concur. NAVSEA 02 in conjunction with\n     OASN(AP) will pert:\'onn the recommended accountability review by 25 Oct 13.\n\n     RECOMMENDATION C.3.: The DODJG recommended that the Director, Shore\n     Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics), perform a\n     review of the Commartder, Navy Installations Command Antiterrorism officials and\n     consider administrative actions, if appropriate for:\n\n        a. Implementing the Navy Commercial Access Control System using Eid\n     Passport\'s Rapidgate system that allows contractors to have access to Navy\n     ~nstallations without !having their identities vetted through mandatory authoritative\n     databases.\n\n       b. Implementing the Navy Commercial Access Control System without a\n     comprehensive business case analysis.\n\n      c. Improperly directing a prime contractor to enter into unauthorized comm.itmems of\n     Navy funds.\n\n     Response (N46): Partially concur. Any perfonnancc review ofCNIC employees.\n     inc luding the determination as to whether a review is required, is the responsibility of the\n     Commander. Navy Installations Command. Pendi111g findings from reviews conducted by\n     ASN(RDA)/NAVSEA based on DoD IG recommendations 18.2, C . I, C.2 and C.4 as well\n     as OPNAV N81 independent review of the BCA (recommendation 8.2), Commander,\n     Navy Installations Command will take administratlive actions as appropriate. Target for\n     completion of the review and recommended administrative actions, ifnece.c;sary, is 24 Jan\n     14 (approximately 90 days after receipt of ASN(RDA), NA VSEA and OPNA V N81\n     lindings). As noted previously in our response to A. I. CNIC has concluded the\n\n                                                  5\n\n\n\n\n                                  f9R 9FFIEUrb HS!ol ONLY                                                  DODIG-2013-134   I 43\n\x0cManagement Comments                                  FOR OFFIC!Ab USE ONLY\n\n\n\n                    Department of the Navy Comments (cont\'d)\n\n\n\n\n                         Rapidgate system allows contractors to have access to Navy installations by properly\n                         vetting their identities through the mandatory authoritative databases."\n\n                         RIECOMMENDATION C.4.: The DODIG recommended that the ChicfofContracting\n                         offices at Naval Surface Warfare Center Port Hueneme and! Panama City:\n\n                           a. Review the 3e Technologies tntemational subcontract and determine whether the\n                         costs should be disallowed and recouped in accordance with Federal Acquisition\n                         Regulation 42.8, \'\xc2\xb7Disallowance of Costs,\'\' or if ratification actions may be appropriate in\n                         accordance with Federal acquisition Regulation 1.602-3, "Ratification of Unauthorized\n                         Commitments, and\n\n                            b. Take the appropriate contracting actions in accordance with the determinations of\n                         the review.\n\n                         Response (NAVSEA): Concur. The review wilt be conducted by 25 Oct 13 and witt\n                         apply to the two contract actions specified in the report, which occurred within the\n                         NA VSEA Enterprise.\n\n\n\n\n                                                                      6\n\n\n\n\n44   I DODIG-2013-131                                FOR OFFICIAL 1:1SE ONUt\n\x0c                                   POR OPFIEIAL toJ~E OIH;Y   Acronyms and Abbreviations\n\n\n\n\nAcronyms and Abbreviations\n     3eTI   3e Technologi es International\n     BCA Business Case Analysis\n    CNIC Commander, Navy Installations Command\n     COC Certification of Compliance\n    DTM     Directive Type Memorandum\n     FAR    Federal Acquisition Regulation\n     GIPC Government Purchase Card\n     HCA Head of Contrracting Activity\n    N3AT    Antiterrorism Office\n  NAVSUP Naval Supply Systems Command\n   NCACS    Navy Commer cial Access Control System\n    NCIC National Crime Information Center\n   NSWC Naval Surface Warfare Center\n      PIV Personal identity Verification\n\n\n\n\n                                   FOR OPFICIAL USE OPHX                 DODIG-2013-134   I 45\n\x0c\x0c             Whistleblower Protection\n            U.S. DEPARTMENT OF DEFENSE\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions on\nretaliation, and rights and remedies against retaliation for protected\ndisclosures. The designated ombudsman is the DoD IG Director for\nWhist/eblowing & Transparency. For more information on your rights\nand remedies against retaliation, go to the Whistleb/ower webpage at\n               www.dodig.miljprogramsjwhis.tleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                        Congressional Liaison\n                Congressional@dodig.mil; 703.604.8324\n\n                             DoD Hotline\n                             800.424.9098\n\n                            Media Contact\n                 Public.Affairs@dodig.mil; 703.604.8324\n\n                           Month!}\xe2\x80\xa2 Update\n                  dodigconnect-request@listserve.com\n\n                         Reports Ma iling List\n                  dodig_report-request@listserve.com\n\n                                Twitter\n                          twitter.com/DoD_IG\n\x0c\x0c'